AWS SSO for external client AWS accounts not in an organization - Best Practices

Question

I have multiple different clients I work with that are completely independent of each other. If a client I'm working with already has an AWS account, I may develop software in their existing AWS account, but if they don't have an account then I'll create a new AWS account.

Today, I'm storing my clients' AWS username/passwords in LastPass within separate folders and/or LastPass identities. However, I'd like to know if there is a better/easier way to do this and also what the recommended method is.

I know that AWS SSO can be used to manage multiple AWS accounts under one organization (e.g., for a large company), but can AWS SSO be used to manage multiple completely independent client accounts that are either not in an AWS organization or in separate AWS organizations?

What are the best practices for a scenario with managing multiple AWS accounts that are for completely independent companies? Is there an AWS recommended whitepaper on this?

This SO question is related, but it's also 6 years old: AWS: how to manage authentication for multiple accounts

Thank you!

score 2 · Accepted Answer · answered Oct 14 '21 at 22:39

2

I would say that for accounts which are part of your organization, you should use AWS SSO.

For accounts which are 'owned' by someone else. Have them create a role which you can assume from one of your accounts. Possibly you could create a separate account under your organization, to contain the roles which the other accounts trust.

answered Oct 14 '21 at 22:39

Daniel Scott

7,418
5
39
58

Considering the issue I commented above in @daniel-rocco's answer, your strategy here might be the overall better one. Your strategy solves both problems: (1) For browser-based AWS Console, we can use the `Switch Role` button. (2) For AWS CLI (`~/.aws/config`), we can use `role_arn` and `source_profile` as explained at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html – Vincent Yin May 17 '22 at 15:06

score 2 · Answer 2 · answered Dec 21 '21 at 23:52

but can AWS SSO be used to manage multiple completely independent client accounts that are either not in an AWS organization or in separate AWS organizations?

It is possible to add these accounts to AWS SSO as External AWS Accounts under the Applications section. For each target account, you’ll need to

register a SAML Identity Provider in IAM
create an IAM Role for AWS SSO to assume

Steps:

In AWS SSO,

Add a new Application and specify “External AWS Account” as the type
Supply a name for the application
Download the SAML metadata file

In the target AWS account, register a SAML Identity Provider in IAM:

In IAM, navigate to the Identity provider section and choose Add provider
Select the SAML Identity provider type
Give the provider a meaningful name (e.g. “AWS-SSO”)
Upload the SAML metadata you obtained from AWS SSO

Next, add an IAM Role in the target AWS account for AWS SSO to assume. The easiest way to do this is to choose Assign role → Create a new role from the details page of the Identity provider you just created in IAM. From there, AWS will present the familiar Role creation wizard where you can set permissions and tags.

If you prefer to have AWS SSO assume an existing IAM Role, edit the Role’s trust policy to include the SAML IdP as a trusted entity:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "https://signin.aws.amazon.com/saml"
        }
      }
    }
  ]
}

where ACCOUNTID is the id of the target AWS account and SAMLPROVIDERNAME is the name of the IdP you created.

Finally, back in AWS SSO,

Open the External AWS Account Application you created
Choose the Attribute Mappings tab
Add a new attribute mapping for the Role in the target AWS account
- Field: https://aws.amazon.com/SAML/Attributes/Role
- Value: arn:aws:iam::ACCOUNTID:saml-provider/SAMLPROVIDERNAME,arn:aws:iam::ACCOUNTID:role/ROLENAME
- Format: unspecified

where ACCOUNTID, SAMLPROVIDERNAME, and ROLENAME reference the artifacts in the target AWS account.

With the External AWS Account Application configured, you can assign users to the Application in AWS SSO as usual.

AWS documentation notes that each External AWS Account application can target only one Role

External AWS Account service only supports one IAM Role attribute mapping per application instance. So, you would have to create multiple External AWS Account application instances to use multiple roles.

Reference: AWS Single Sign-On (AWS SSO) Integration Guide for External AWS Account

While this works for the browser-based AWS Console, there doesn't seem to be a way to do this in AWS CLI. There is no syntax in `~/.aws/config` for this kind of topology. Is that right? — Vincent Yin, May 17 '22 at 14:59
@VincentYin [AWS SSO supports authenticating the CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html) and allows one to set up profiles in `~/.aws/config`. The mechanism is similar to the CLI configuration for cross-account role assumption. — Daniel Rocco, May 31 '22 at 23:27
That's not true. The docs you referenced ^^^ is for AWS CLI to sign-in to AWS accounts in the **same** AWS Org. This thread is about adding an **external** AWS account. AWS CLI doesn't have the capability for that. — Vincent Yin, Jun 02 '22 at 18:52
Anyone know if it's possible to have different IAM roles configured for different SSO groups in the target account? Haven't been able to find much info on that. — Alec Collier, Aug 12 '22 at 13:06
Great answer, thanks. Indeed CLI is still a problem. I hope someone will help on that. — code_ada, Oct 27 '22 at 18:26

MikeCox · Answer 3 · 2022-11-09T08:12:18.907

0

For cli access to non org accounts, you have to create a permissionset with the relevant permissions and assign it to the SSO account.

Create the relevant roles in the non org accounts, create a permission set in the SSO account that allows STS to these roles.

edited Nov 09 '22 at 08:12

answered Nov 08 '22 at 18:51

MikeCox

1
1

AWS SSO for external client AWS accounts not in an organization - Best Practices

3 Answers3

Steps: