Why Use AWS IAM Identity Center?
While researching how to integrate AWS with VS Code, I discovered that AWS IAM Identity Center was the recommended service. This got me thinking about why this service is so valuable.
I had already set up environment separation using AWS Organizations:
Root
├── Infrastructure
│ ├── Development(dev@)
│ └── Demo(demo@)
├── Production
│ └── Production(prod@)
└── Security
└── Admin (admin@)
However, I was manually creating IAM users in each environment, making password management increasingly difficult. (I should have researched this sooner!)
While AWS Organizations allows you to group AWS accounts under the same organization, IAM users and roles created in each account aren't connected across the organization. This means AWS Organizations alone cannot provide centralized access management. To switch environments, I had to sign out and log back into different accounts.
This is where AWS IAM Identity Center becomes incredibly useful.
It allows you to create IAM Identity Center users that can access IAM roles across all environments. From a single user account, you can create, assign, and switch between IAM roles in different environments.
This enables centralized access management at the organizational level. You only need to manage one password for the IAM Identity Center user.
(Seriously, I wish I had discovered this earlier!)
Setup Summary
IAM Users vs IAM Identity Center Users
| Feature | IAM Users | IAM Identity Center Users |
|---|---|---|
| Management | Individual per AWS account | Centralized in management account |
| Authentication | Separate login per account | Single Sign-On (SSO) |
| Password Management | Multiple passwords | Single password for all accounts |
| Access Method | Direct login to each account | Role switching via AWS Access Portal |
| Permission Management | Individual setup per account | Centralized via permission sets |
Before / After Comparison
Before (Manual Setup)
Independent Account Structure with IAM Users:
├ aws-admin@ (Management): admin-saito
├ aws-dev@ (Development): dev-admin
├ aws-demo@ (Demo): demo-admin
└ aws-prod@ (Production): prod-admin
Challenges:
- Managing 4 different passwords
- Re-authentication for each environment switch
- Individual permission changes in each account
After (IAM Identity Center)
Centralized Management:
Management Account (aws-admin@)
├ IAM Identity Center User: admin
├ Group: MyGroup-Administrators
├ Permission Set: AdministratorAccess
└ Access Settings:
├ aws-dev@ / AdministratorAccess
├ aws-demo@ / AdministratorAccess
├ aws-prod@ / AdministratorAccess
└ aws-admin@ / AdministratorAccess
Improvements:
- Single password for all environments
- Seamless environment switching via AWS Access Portal
- Centralized permission management
The difference is remarkable – from managing multiple passwords and constant re-authentication to a single, streamlined access experience across all AWS environments.
Tomorrow, I'll try AWS CDK.
Top comments (0)