Amazon Web Service - Replace IAM Users with AWS SSO

Рет қаралды 27,459

Күн бұрын

The most secure option to isolate workloads from each other is to use multiple AWS accounts. Many organizations use different AWS accounts for testing and production, for example. The more AWS accounts you use, the more complicated it gets to manage users and grant them access.
Formerly, using IAM roles for cross-account access was a popular pattern. How did that work in practice? Often, everything started with an AWS account that contained nothing but the IAM users and groups, allowing engineers to authenticate. Besides that, account administrators added IAM roles for cross-account access to every AWS account.
In this video we will show you an alternative approach with Amazon Web Services Single Sign-on or AWS SSO.
Interested in more? Check out this blog post: cloudonaut.io/aws-sso-instead...
Chapters:
00:00 - Intro
01:04 - Why you need multiple AWS Accounts
02:04 - Explaining AWS Single Sign-On (SSO)
03:23 - AWS Single Sign-On (SSO) Costs
03:42 - Using IAM Users in AWS
05:20 - Why you should consider AWS Single Sign-On (SSO)
06:10 - Demo: How AWS SSO works
16:36 - Wrap Up
17:31 - Outro
Support us:
Have you learned something new by reading, listening, or watching our content? If so, we kindly ask you to support us in producing high-quality & independent AWS content. We look forward to sharing our AWS knowledge with you. cloudonaut.io/support-us/
#aws #amazonwebservice #cloudcomputing #cloudonaut #iamusers #iam #sso #singlesignon

Пікірлер: 62

@samb2543 2 жыл бұрын

This is the best explanation I've seen of SSO

@thyponzoni 2 жыл бұрын

@pabloin 2 жыл бұрын

great explanation! Thanks!

@SethArt 2 жыл бұрын

Thanks for sharing! Really helpful.

@sreaswar Жыл бұрын

That was so clear and well explained. Thanks for sharing

@cloudonaut Жыл бұрын

Thanks a lot for your motivating feedback!

@mohammadjavadraadi2825 2 жыл бұрын

Thank you for sharing. Really appreciate it.

@cloudonaut 2 жыл бұрын

Glad you enjoyed it!

@sellerym 2 жыл бұрын

Excellent video, thank you!

@cloudonaut 2 жыл бұрын

Thanks a lot for your feedback!

@suhasvengilat1026 2 жыл бұрын

Really superb - Thank you

@cloudonaut 2 жыл бұрын

Our pleasure!

@akimyucel3900 2 жыл бұрын

Good content, thank you

@jumaal-maskari6010 Жыл бұрын

Great work, thanks

@cloudonaut Жыл бұрын

Thank you!

@iaroslavdavydiak6439 2 жыл бұрын

Awesome explanation. Thanks!

@cloudonaut 2 жыл бұрын

Great! Are you using AWS SSO already?

@pippopeppe83 2 жыл бұрын

Great explanetion

@cloudonaut 2 жыл бұрын

Glad you liked it

@johanneskoller7089 Жыл бұрын

Very great and usefull video

@cloudonaut Жыл бұрын

Thank you!

@edipocdf Жыл бұрын

tks a lot, very god video

@RowanSheridan 2 жыл бұрын

How do you guys not have more subscribers!?

@cloudonaut 2 жыл бұрын

We are working on it :)

@Unerty 2 жыл бұрын

This gives me "My name is Giovanni Giorgio, but everybody calls me Giorgio" vibes. By the way, thanks for the great video!

@robertabanks 4 ай бұрын

so we put a click on the 24-track

@Anshie007 10 ай бұрын

Absolutely great video ! One question if we don't have AWS organizations setup, we can still work with this setup for the same account right ? Also as recommendation, would have been cherry on top if you could add On prem AD as identity provider as that's the most common use case. Thanks again !

@cloudonaut 10 ай бұрын

Your AWS account must be managed by AWS Organizations. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you.

@sudsrmsee Жыл бұрын

Thanks for clarity,,,still, I have one doubt,,, if OU already has SCP then is it possible to integrate sso with OU with new permission sets ?

@cloudonaut Жыл бұрын

You are mixing two distinct topics: SSO permission polices are used to generate IAM roles/policies an SCP are in effect above that.

@ravitejateja2071 Ай бұрын

Thank you for the great video. Any idea if it is possible to automate the process to auto refresh the temporary credentials? If we want to try out SSM with SSO, if we do aws configure sso and set up profile, every time it asks for approval from browser. Any way we can automate this to avoid browser approvals?

@cloudonaut Ай бұрын

Thanks for the feedback. I'm not aware of a way to automate refreshing the credentials.

@thestart709 2 ай бұрын

what about if we want to terraform apply(CI) on specific AWS account? would you create an SSO user like e.x. deployer from which you would run aws sso get-role-credentials to get temporary credentials and apply terraform?

@cloudonaut 2 ай бұрын

Depend on your CI solution. If you use GitHub, you can use docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services

@loumarich3562 2 жыл бұрын

What if your not getting connected to the AWS console after you select your accou to login? What to troubleshoot?

@cloudonaut 2 жыл бұрын

I recommend to open your browser's developer tools and check the error codes and messages of the outgoing HTTPS requests.

@thestart709 2 ай бұрын

The Organisation is created from the AWS root account so I guess the SSO should be activated from the AWS root account where the Organisation exists?

@cloudonaut 2 ай бұрын

Yes, root account or a delegated admin account, see docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html

@TechLeadEngineer 10 ай бұрын

Great video tutorial, thank you. Quick question, how do I use an SSO user to login with long-term credential? I have an API that needs to login to AWS to view data of a KDS. This is an automated process and so I need to use a proxy account coming from identity source (Azure AD in our case), however all the AWS docs I found only use IAM with short-term credential. Any idea? Thanks in advance.

@cloudonaut 10 ай бұрын

Not possible.

@MACODJ 2 жыл бұрын

I cant register a new account to access at the aws service! Where is the bug? Please help, i cant use aws amazon

@cloudonaut 2 жыл бұрын

Sorry, we cannot help with that. Please contact AWS support.

@taraskostyuk7076 2 жыл бұрын

SSO is supported not in all AWS regions. So SSO can not be used if using the unsupported region is required?

@cloudonaut 2 жыл бұрын

You can still use all AWS regions. But SSO can only be deployed into some of them. See docs.aws.amazon.com/singlesignon/latest/userguide/regions.html

@MACODJ 2 жыл бұрын

@@cloudonaut and italy??

@thyponzoni 2 жыл бұрын

So, is AWS SSO not advised for larger businesses? We use IAM with an identity account with users and groups and need to assume roles in other accounts. The process isn't very smooth IMO. We have over 400 engineers. Thanks for the great content!

@cloudonaut 2 жыл бұрын

You can use SSO in larger orgs as well these days. Likely in combination with (Azure) AD.

@modesoliman 2 жыл бұрын

@@cloudonaut should we create the IAM roles for all engineers again manually? or there is a way i can migrate current roles from iam users and groups roles to SSO ?

@cloudonaut 2 жыл бұрын

@@modesoliman Not sure what you mean be creating roles manually. The roles are fully managed via SSO (see permission sets docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html).

@modesoliman 2 жыл бұрын

@@cloudonaut i mean if users have custom roles not the predefined , should i recreate them manually or there is a way so i can migrate them from iam to sso console?

@cloudonaut 2 жыл бұрын

@@modesoliman It is possible to copy the IAM policies from your IAM roles to AWS SSO.

@rajeshom5129 2 жыл бұрын

I want to use those access key and secret key in python script to connect with Boto3 ,can you please help how can i write such a python code to work with AWS services with SSO

@cloudonaut 2 жыл бұрын

Copy&Paste the environment variables from AWS SSO or check out stackoverflow.com/questions/62311866/how-to-use-the-aws-python-sdk-while-connecting-via-sso-credentials.