We manage environments for different customers.
On Microsoft Azure is possible to the same user to be part of different Directories and Subscriptions.
It's all matter of invites and permissions.
Is it possible to use the same (email) account to manage environments in different organizations on AWS?
You can create an IAM user for the same person (email address) in multiple AWS accounts. To log into a different account, the person would use the login screen that corresponds to the account they want to access. This is how it works if you are creating IAM users in an account. They would not be linked, so to see a different account they would need to go to a different login url--and likely a separate password even though the email address may be the same. Essentially, they would be separate users in separate accounts, with no linkage.
For enterprises, you can use things like SAML authentication where users would authenticate with their own company, then go to a link like https://signin.aws.amazon.com/saml which will show all of the accounts to which they have access. Then it is just a matter of picking the account to which you want to connect.
See
https://aws.amazon.com/single-sign-on/?org_product_ft_sso
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html
Related
We are setting up 4 projects on AWS. Each project has its own team. In some cases , a single person is working on multiple projects ,and is part of multiple teams.
We plan to setup 4 different AWS accounts , and add them in an organization. After that we need to send invites to our team from the account that has their project.
Is it possible to send email invites to people from our AWS account?
Can we add a single person , working on multiple projects, in multiple AWS accounts?
If its possible , how will it work for them, will they able to sign in to AWS using a single URL and see all the project resources , or do they need to sign in using different URLs (for each project)?
Creating IAM users in AWS account does not ask for any emails, thus there is no automated email notifications. You have to send such emails yourself.
Yes, one way would be to create for that user multiple users in each account. But I think better way would be to have only one IAM user for that person, and then create cross-account roles in other accounts which that user can assume. The roles can be assumed using AWS console or programmatically using AWS CLI or SDK. Access to the resources in other accounts would be controlled by the permissions defined in cross-account roles for that user.
I have a personal AWS account, and I was also added as an IAM user on another organization's account to access their ec2 resources.
Is there an easier way to switch between these two accounts from the website https://console.aws.amazon.com/?
Right now, I have to go to the separate URLs for each of my accounts that are in the form https://78xxxxxxxxxxx.signin.aws.amazon.com/console
But is there a way to switch from inside the AWS console itself without having to bookmark those URLs and re-type in my password to switch between them?
It seems that AWS lets you switch between different roles very easily, but this doesn't seem to work across accounts? https://aws.amazon.com/blogs/aws/new-cross-account-access-in-the-aws-management-console/
If you have multiple accounts and they are inside the same organization, you can use SSO login to access multiple accounts without typing the password as long as you have the correct permission to access them.
In the AWS IAM Identity Center(SSO) you can assign the permission sets to different accounts,
And the left side the Dashboard section has the SSO URL AWS access portal URL which will show you the multiple accounts
Reference Links: https://docs.aws.amazon.com/singlesignon/latest/userguide/useraccess.html
If each of the accounts belong to separate AWS organizations, they'll have separate URLs. The cross-account role switching applies to multiple accounts under a single AWS organization.
I have a software business and different unrelated customers. I manage their servers and other services on their own AWS accounts. Each has its own.
I'd like to simplify the management by having a root aws account of my company, and link different accounts to it with different payment methods. In most cases, clients use their own payment method..
What is the best way to achieve this?
There are 2 scenarios:
Clients pay for their own account: Create a cross account role in each of your customer's account that gives access to your account to do things in their account. Take a look at this tutorial - https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles-3 . You will be able to use the cross account role to gain access to their account from your account by switching to their account from console. Take a look at the steps here - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
You pay for all the clients: In this case you can use AWS organizations in your account and add the accounts of your customer's to it. You will also need to create cross account role like in step1 so that you have access to do things in their account. This will allow to to have a single consolidated bill for all the accounts while you still get the bifurcated billing details of each account. Take a look at the tutorial here: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html
My production environment uses AWS cognito federated identities (AKA: identity pool) for allowing users to sign in with their Google/FB accounts. This is working fine.
However, for my staging environment I want to offer a similar sign in functionality (that is: users sign in in via Google) but I want to restrict the ability to sign in only to a specific whitelist (of, say, #gmail.com accounts). This is because the staging environment should only be accessed by team members and a bunch of trusted users.
My question is this: is it possible to define a Cognito identity pool that allows only the whitelisted users to sign in? if the answer is "yes", then how?
I know that I can do the whitelist checking at my backend (that is: at the backend of my staging env. I will reject every request not coming from these whitelisted users) but this is a bit unclean. In particular, I want the rejection to happen as early and possible and, ideally, to be carried out by cognito itself, and not by my backend.
Clarifications:
I mentioned a list of #gmail.com accounts as the whitelist. I am open to any other mechanism for defining the whitelist.
In a way I am asking whether I can have user directory functionality (in particular: determining if a user is in a certain group of users) with an cognito identity pool.
The purpose of the Identity pool is to provide access to authenticated identities. Therefore, this resource cannot manage users (ie: white listing a user group).
There are two ways to do this:
Link 3rd Party Identity into a User Pool and white list by User Group. Your user group will have a Roles and permission it will assume that will allow your test users to have the functionality they need without allowing other users who log to have that functionality.
Manage users from the 3rd Party Identity - I am not an expert at Google authentication.. but some OpenID providers allow you to create user groups with different access roles. This is an example for Google.
You can invoke a trigger and execute a lambda function when the user submits their information to accept or deny the sign in request.
I'm attempting to develop an application architecture almost exclusively on top of AWS services.
This application has both User and Organization "entities". As one might except, a User may be an admin, role-x or role-y of one or more organizations. (role-x and role-y are just placeholders for some role with some set of specific permissions. A User may also be standalone (that is, not have a role on any Organization).
Our current thinking is to use DynamoDB to store organization and user specific data. For users this may include some basic information (address, phone number, whatever), and for organizations it may include fields like "mission statement", "business address" and so on.
An admin of an organization would be able to edit all organization fields, whereas a role-x might only be able to update "mission statement" while reading all other fields.
Since I mentioned that a single user may have roles on many different organizations, that might look something like:
user1:
organizations:
123: 'admin'
456: 'role-x'
789: 'admin'
It's also worth noting that these role assignments are modifiable. New or existing users may be invited to take on a specific role for an organization, and an organization may remove a user from a role.
This is a fairly straightforward type of layout, but I wanted to be very clear about the many-to-many nature of the user, org and roles.
I've been reading IAM and Cognito documentation, as well as how it relates to fine-grained control over DynamoDB items or S3 buckets - but many of the examples focus on a single user accessing their own data rather than a many-to-many role style layout.
How might one go about implementing this type of permission system on AWS?
(If policy definitions need to be updated with specific Identities (say, for an Organization), can that reliably be done in a programatic way - or is it ill-advised to modify policies on the fly like that?)
The above answer is outdated.
AWS has added Cognito-Groups recently. That provides more flexibility
You can use technique described in the article to achieve that:
https://aws.amazon.com/blogs/aws/new-amazon-cognito-groups-and-fine-grained-role-based-access-control-2/
Unfortunately the kind of permission system you are trying to implement is not possible with Cognito at the moment. With Cognito you can currently create unique identities for your users in an identity pool. Users can authenticate using any external provider such as Facebook, Amazon, Google, Twitter/Digits or any OpenId Connect Provider. Users can also authenticate through your own backend authentication process. After the user authenticates, Cognito creates a unique identity for that user. There’s a concept of an identity, but there’s no concept of groups. All users/identities within a one identity pool can get credentials from roles associated with that identity pool. Currently you can specify two roles: One role for authenticated identity and one role for unauthenticated identity. There’s no such feature at the moment where you can specify multiple groups for each identity and specify role on that group.
For more information on Cognito, you can refer to
https://aws.amazon.com/cognito/faqs/
http://docs.aws.amazon.com/cognito/devguide/getting-started/