Using AWS SSO for External Accounts
AWSAt $dayjob, for reasonstm, we have an account that is outside of the AWS Organization and managing user access has been a chore since we can’t natively manage it with AWS SSO (AWS IAM Identity Center). Instead engineers that need access are given IAM Users with the appropiate permission. However, this means that we now have 2 different AWS accounts we manage users in.
I have been looking for a way to fix this particular problem. My initial thought was adopting the account to our org, too dangerous for reasonstm. Another thought was standing up AWS SSO to manage the external account, some things may be better but we still have the multiple user management interfaces problem.
Partial Solution
AWS has this great document that sounds great, until it isn’t.
The interface is great in the AWS SSO start page, it adds a button to the top that if clicked on will drop you into the target account with the provisioned permission.
However, the catch is that it doesn’t give you an easy way to generate api/cli credentials, for engineers this is a pretty big missing feature. Digging around in the docs I assume that if you used the AssumeRoleWithSaml method you could generate some credentials, however I would rebel if that were forced on me so that’s no good.
While the lack of api/cli credentials is bad the rest of the interface is actually pretty good and most engineers would see it as an improvement except for the missing cli/api credentials.
CLI & API Access
I had originally thought about using assume roles but had eliminated them, figuring the console access would be a step backwards.
However, now that I had a good access pattern for the console maybe it would work.
I created a PermissionSet and Group associated with one of my SSO accounts, the PermissionSet only having AssumeRole for a role in the external account. Once I had my PermissionSet and Role provisioned I was able to configure my aws cli with the following config.
[profile my-profile]
sso_start_url=https://mycompany.awsapps.com/start
sso_region=us-east-1
sso_account_id=123456789012
sso_role_name=DeveloperRole
region=us-east-1
[profile external]
role_arn = arn:aws:iam::123456789013:role/external-role
source_profile = my-profile
Final Solution
With granted or similar tools you wouldn’t need the SAML role. However, I included to provide engineers with whatever they are most comfortable with.
My final solution was to utilize both patterns for each set of permissions needed for the external account. Allowing engineers engineers who prefer using the start page to login in from there, and those needing cli/api access to have credentials as well.
I was able to use terraform for most of it except for the SAML pieces as there wasn’t an api for SSO Applications and it didn’t make sense to deal with the other half of that connection in terraform if I couldn’t do it all.