SSO Users and Group Setup
AWS SSO (Single Sign-On) is a cloud-based service that allows users to manage access to multiple AWS accounts and business applications using a single set of credentials. It simplifies the authentication process for users and provides centralized management of permissions and access control across various AWS resources. With AWS SSO, users can log in once and access all the applications and accounts they need, streamlining the user experience and increasing productivity. AWS SSO also enables IT administrators to manage access more efficiently by providing a single point of control for managing user access, permissions, and policies, reducing the risk of unauthorized access or security breaches.
- Log in to your AWS account and go to the AWS Identity Center console.
- Click on the "Users" tab and then click on the "Add user" button.
The 'Add User' setup is fairly straight forward but here are some screen shots:
On the first panel you can fill in the users information.
On the second panel we suggest that you have at LEAST two groups:
- Admin group
- DataScientists group
This allows you to put most of the users into the DataScientists group that has AWS policies based on their job role. AWS uses 'permission sets' and you assign AWS Policies. This approach makes it easy to give a group of users a set of relevant policies for their tasks.
Our standard setup is to have two permission sets with the following policies:
-
IAM Identity Center --> Permission sets --> DataScientist
- Add Policy: arn:aws:iam::aws:policy/job-function/DataScientist
-
IAM Identity Center --> Permission sets --> AdministratorAccess
- Add Policy: arn:aws:iam::aws:policy/job-function/AdministratorAccess
See: Permission Sets for more details and instructions.
Another benefit of creating groups is that you can include that group in 'Trust Policy (assume_role)' for the SageWorks-ExecutionRole (this gets deployed as part of the SageWorks AWS Stack). This means that the management of what SageWorks can do/see/read/write is completely done through the SageWorks-ExecutionRole.
Okay now that we have our groups set up we can go back to our original goal of adding a user. So here's the second panel with the groups and now we can hit 'Next'
On the third panel just review the details and hit the 'Add User' button at the bottom. The user will get an email giving them instructions on how to log on to their AWS account.
Now when the user logs onto the AWS Console they should see something like this:
For full instructions see SSO Command Line/Python Configure. But here's a quick summary
- Goto your AWS Identity Center in the AWS Console
- On the right side there will be two important pieces of information
- Region
- Start URL
- Mac:
brew install awscli - Linus: TBD
- Windows: TBD
Note: You only need to do this once!
aws configure sso --profile <the name of the new profile> (something like bob_sso)
SSO session name (Recommended): my-sso
SSO start URL []: <the Start URL from info above>
SSO region []: <the Region from info above>
SSO registration scopes [sso:account:access]:
You will get a browser open/redirect at this point and get a list of available accounts.. something like below, just pick the correct account
There are 2 AWS accounts available to you.
> SCP_Sandbox, briford+sandbox@supercowpowers.com (XXXX40646YYY)
SCP_Main, briford@supercowpowers.com (XXX576391YYY)
Now pick the role that you're going to use
There are 2 roles available to you.
> DataScientist
AdministratorAccess
Edit your favorite ~/.bashrc ~/.zshrc and add these nice aliases/helper
# AWS Aliases
alias bob_sso='export AWS_PROFILE=bob_sso'
# Default AWS Profile
export AWS_PROFILE=bob_sso
Make sure your profile is active/set
env | grep AWS
AWS_PROFILE=<bob_sso or whatever>
Now you can list the S3 buckets in the AWS Account
aws ls s3
If you get some message like this...
The SSO session associated with this profile has expired or is otherwise invalid. To refresh this SSO session run aws sso login with the corresponding profile.
This is fine/good, a browser will open up and you can refresh your SSO Token.
After that you should get a listing of the S3 buckets without needed to refresh your token.
aws s3 ls
❯ aws s3 ls
2023-03-20 20:06:53 aws-athena-query-results-XXXYYY-us-west-2
2023-03-30 13:22:28 sagemaker-studio-XXXYYY-dbgyvq8ruka
2023-03-24 22:05:55 sagemaker-us-west-2-XXXYYY
2023-04-30 13:43:29 scp-sageworks-artifacts