IAM Identity Center

Progress checklist

IAM Identity Center enabled in the AWS Console
User (and optional group) created in the Identity Center directory
Permission set assigned to the user for the target account
AWS CLI profile configured for SSO login

(formerly ) gives you centralised user management, single sign-on, and short-lived credentials instead of long-lived access keys tied to an IAM user.

Why use it:

Avoids long-lived IAM user access keys and passwords.
Built-in MFA and optional federated login.
Free for internal users; scalable and audit-friendly.
Fits teams and workflows that already standardise on and IAM Identity Center for temporary AWS credentials.

You need one-time root (or admin) access to enable IAM Identity Center; MFA on the root user is recommended (see AWS Account).

Enable IAM Identity Center. Optional

In the AWS Console, search for IAM Identity Center (or find it under Security, Identity and Compliance).
- Click Enable
- On the identity source prompt, keep the default: Identity Center directory (unless you already have an external IdP such as Okta or Azure AD; connect it here if so)
- Choose the same region you selected in the AWS Account step. IAM Identity Center is a regional service; the region you enable it in is where the service runs
If you see “IAM Identity Center is already enabled”, someone (or a prior setup) has already done this. Click through to check the existing configuration before creating new users.
Create a user in the Identity Center directory.

In IAM Identity Center:
- Left nav: Users then Add user
- Enter a username and email address (for example name Admin and your email)
- Fill in first name, last name
- Leave Send an email to the user with password setup instructions checked; you will receive an activation email
- Click Add user
Check your email and complete the account activation (set a password and configure MFA for the Identity Center user too).
Create a group (optional but recommended).

Groups let you assign permission sets to multiple users at once.
- Left nav: Groups then Create group
- Name it (for example Admins or LMI-Walkthrough)
- Add your user to the group
Create a permission set.

A permission set defines what the user (or group) can do in an account.
- Left nav: Permission sets then Create permission set
- Choose Predefined permission set then AdministratorAccess (for the walkthrough; scope it down for production use)
- Accept defaults for session duration (1 hour is fine; extend to 8 hours if your Terraform runs take longer)
- Name it (for example AdministratorAccess) and create it
Assign the user (or group) to the AWS account.
- Left nav: AWS accounts then select your account from the list
- Click Assign users or groups
- Choose your user (or group), then Next
- Choose the permission set you just created, then Next, then Submit
Wait a moment for the assignment to apply.
Verify console access (optional but recommended).

In IAM Identity Center then Settings, copy the Access portal URL (for example https://d-xxxxxxxxxx.awsapps.com/start). Open it in a browser, sign in with the Identity Center user you created, and click Management Console for your account to confirm access.
Configure the AWS CLI to use IAM Identity Center. Required if using SSO

Requires AWS CLI v2 (see AWS CLI to install). After the CLI is installed, run:
Terminal window
```
aws configure sso
```
You will be asked for:
- SSO session name - any name (for example my-sso)
- SSO start URL - find this in IAM Identity Center then Settings (looks like https://d-xxxxxxxxxx.awsapps.com/start)
- SSO region - the region where you enabled IAM Identity Center (for example ap-southeast-2)
- SSO registration scopes - press Enter to accept the default (sso:account:access)
- A browser opens for you to sign in and approve access
- Back in the terminal: choose the account and permission set, then set a profile name (for example lmi-walkthrough)
- Default client Region - use the same region as your SSO region (for example ap-southeast-2)
- Default output format: json
Log in and verify.
Terminal window
```
aws sso login --profile lmi-walkthrough
aws sts get-caller-identity --profile lmi-walkthrough
```
The output should show your account ID and a role ARN from IAM Identity Center (not an IAM user ARN).
Tip
Set the profile as default so you do not need --profile on every command:
Terminal window
export AWS_PROFILE=lmi-walkthrough aws sts get-caller-identity
Add the export to your shell profile (~/.bashrc, ~/.zshrc) to persist it.
Session expiry
SSO sessions typically expire after 8-12 hours. When credentials expire, run aws sso login --profile lmi-walkthrough again. To check when the session expires:
Terminal window
jq -r 'select(.startUrl != null) | .expiresAt' ~/.aws/sso/cache/*.json
To remove the profile, delete the [profile lmi-walkthrough] block from your AWS config file (for example $HOME/.aws/config) and any related entries in $HOME/.aws/credentials if present.

Optional: harden the setup

MFA in IAM Identity Center - In IAM Identity Center then Settings then Multi-factor authentication, require MFA for all users.
CloudTrail - In CloudTrail, create a trail for management events (free tier applies).
Root access keys - If any root access keys exist, remove them in IAM. Use the root account only for rare account-level tasks.

Next step

Continue to AWS CLI to install the CLI and confirm your credentials work.