IAM Identity Center

Progress checklist

IAM Identity Center enabled in the AWS Console
User (and optional group) created in the Identity Center directory
Permission set assigned to the user for the target account
AWS CLI profile configured for SSO login

(formerly ) gives you centralised user management, single sign-on, and short-lived credentials — instead of long-lived access keys tied to an IAM user.

Why use it:

Avoids long-lived IAM user access keys and passwords.
Built-in MFA and optional federated login.
Free for internal users; scalable and audit-friendly.
Required for the Platform batch: ArgoCD uses + IAM Identity Center to get temporary credentials when syncing from Git (no static keys stored anywhere).

You need one-time root (or admin) access to enable IAM Identity Center; MFA on the root user is recommended (see AWS Account).

Enable IAM Identity Center. Recommended / Required for ArgoCD

In the AWS Console, search for IAM Identity Center (or find it under Security, Identity & Compliance).
- Click Enable
- On the identity source prompt, keep the default: Identity Center directory (unless you already have an external IdP such as Okta or Azure AD — in that case connect it here)
- Choose the same region you selected in the AWS Account step. IAM Identity Center is a regional service; the region you enable it in is where the service runs
If you see “IAM Identity Center is already enabled”, someone (or a prior setup) has already done this. Click through to check the existing configuration before creating new users.
Create a user in the Identity Center directory.

In IAM Identity Center:
- Left nav: Users → Add user
- Enter a username and email address (e.g. name Admin and your email)
- Fill in first name, last name
- Leave Send an email to the user with password setup instructions checked — you’ll receive an activation email
- Click Add user
Check your email and complete the account activation (set a password and configure MFA for the Identity Center user too).
Create a group (optional but recommended).

Groups let you assign permission sets to multiple users at once — useful if you add collaborators later.
- Left nav: Groups → Create group
- Name it (e.g. Admins or EKS-Walkthrough)
- Add your user to the group
Create a permission set.

A permission set defines what the user (or group) can do in an account.
- Left nav: Permission sets → Create permission set
- Choose Predefined permission set → AdministratorAccess (for the walkthrough; scope it down for production use)
- Accept defaults for session duration (1 hour is fine; extend to 8 hours if your Terraform runs take longer)
- Name it (e.g. AdministratorAccess) and create it
Assign the user (or group) to the AWS account.
- Left nav: AWS accounts → select your account from the list
- Click Assign users or groups
- Choose your user (or group) → Next
- Choose the permission set you just created → Next → Submit
Wait a moment for the assignment to apply.
Verify console access (optional but recommended).

In IAM Identity Center → Settings, copy the Access portal URL (e.g. https://d-xxxxxxxxxx.awsapps.com/start). Open it in a browser, sign in with the Identity Center user you created, and click Management Console for your account to confirm access.
Configure the AWS CLI to use IAM Identity Center. Required if using SSO

Requires AWS CLI v2 (see AWS CLI to install). After the CLI is installed, run:
Terminal window
```
aws configure sso
```
You’ll be asked for:
- SSO session name — any name (e.g. my-sso)
- SSO start URL — find this in IAM Identity Center → Settings → Identity Center instance ARN / Access portal URL (looks like https://d-xxxxxxxxxx.awsapps.com/start)
- SSO region — the region where you enabled IAM Identity Center (e.g. ap-southeast-6)
- SSO registration scopes — press Enter to accept the default (sso:account:access)
- A browser opens for you to sign in and approve access
- Back in the terminal: choose the account and permission set, then set a profile name (e.g. eks-walkthrough)
- Default client Region — use the same region as your SSO region (e.g. ap-southeast-6)
- Default output format: json
Log in and verify.
Terminal window
```
aws sso login --profile eks-walkthrough
aws sts get-caller-identity --profile eks-walkthrough
```
The output should show your account ID and a role ARN from IAM Identity Center (not an IAM user ARN).
Tip
Set the profile as default so you don’t need --profile on every command:
Terminal window
export AWS_PROFILE=eks-walkthrough aws sts get-caller-identity
Add the export to your shell profile (~/.bashrc, ~/.zshrc) to persist it.
Session expiry
SSO sessions typically expire after 8–12 hours. When credentials expire, run aws sso login —profile eks-walkthrough again. To check when the session expires:
Terminal window
jq -r 'select(.startUrl != null) | .expiresAt' ~/.aws/sso/cache/*.json
To remove the profile, delete the [profile eks-walkthrough] block from your AWS config file (e.g. $HOME/.aws/config) and any related entries in $HOME/.aws/credentials if present.

Optional: harden the setup

MFA in IAM Identity Center — In IAM Identity Center → Settings → Multi-factor authentication, require MFA for all users.
CloudTrail — In CloudTrail, create a trail for management events (free tier applies).
Root access keys — If any root access keys exist, remove them in IAM. Use the root account only for rare account-level tasks.

Next step

Continue to AWS CLI to install the CLI and confirm your credentials work.