Integrating G Suite with AWS IAM Identity Center for Seamless Access
AWS IAM Identity Center (formerly AWS Single Sign-On or AWS SSO) is a cloud service that simplifies the management of access to multiple AWS accounts and business applications. It provides centralized control to manage user identities, permissions, and single sign-on (SSO) access, allowing users to log in once and gain access to all assigned AWS accounts and applications. IAM Identity Center helps streamline access management, improve security, and enhance user productivity by offering a unified interface for access control and authentication.
G Suite(Google Workspace) is widely used for common business functions like email, calendar, and document sharing. If your organization uses both AWS and G Suite, you can streamline your access management by using G Suite as an identity provider (IdP) for AWS. By connecting AWS IAM Identity Center to G Suite, your users can access AWS accounts with their G Suite credentials.
To grant access, you can assign G Suite users to AWS accounts. The permissions for each user are set by permission sets in AWS IAM Identity Center, which you can customize based on job roles like administrator, data scientist, or developer. By following the least privilege principle, users get only the access they need for their job. This setup lets you manage user accounts in the Google Admin console while having detailed control over AWS access for each user.
In this post, I will walk you through the process of setting up G Suite as an external IdP in AWS IAM Identity Center.
How It Operates
AWS IAM Identity Center authenticates your G Suite users using Security Assertion Markup Language (SAML) 2.0 authentication. SAML is an open standard for the secure exchange of authentication and authorization data between IdPs and service providers without exposing users’ credentials. When you use AWS as a service provider and G Suite as an external IdP, the login process is as follows:
1. A user with a G Suite account opens the link to the AWS IAM Identity Center user portal for your AWS accounts.
2. If the user isn’t already authenticated, they will be redirected to the G Suite login page. The user will then log in using their G Suite credentials.
3. If the login is successful, a response is created and sent to AWS IAM Identity Center. This response contains three types of SAML assertions: authentication, authorization, and user attributes.
4. When AWS IAM Identity Center receives the response, it determines the user’s access to the AWS IAM Identity Center user portal. A successful login displays the accessible AWS accounts.
5. The user selects the account they wish to access and is redirected to the AWS Management Console.
The authentication flow is shown in the following diagram.
Figure 1: AWS IAM Identity Center authentication flow
The user journey starts at the AWS IAM Identity Center user portal and ends with access to the AWS Management Console. This process provides your users with a unified access experience to the AWS Cloud, eliminating the need for you to manage user accounts in AWS Identity and Access Management (IAM) or AWS Directory Service.
User permissions in an AWS account are controlled by permission sets and groups in AWS IAM Identity Center. A permission set is a collection of policies that determine a user’s effective permissions in an account. These sets can include AWS managed policies or custom policies, and are ultimately created as IAM roles in the specified AWS account. When users access an AWS account, they assume these roles and receive their effective permissions.
Please see more details about AWS IAM Identity Center and its setup here.
When you use G Suite to authenticate and manage your users, you need to create a user entity in AWS IAM Identity Center. This user entity is not a user account, but a logical object that maps a G Suite user via their primary email address as the username to the user account in AWS IAM Identity Center. The user entity in AWS IAM Identity Center allows you to grant a G Suite user access to AWS accounts and define their permissions in those accounts.
AWS IAM Identity Center initial setup
The AWS IAM Identity Center service has some prerequisites. Additionally, you need administrator privileges in G Suite and access to the Google Admin console.
If you’re already using AWS IAM Identity Center in your account, refer to “Considerations for Changing Your Identity Source” before making any changes.
Setting Up an External Identity Provider in AWS IAM Identity Center
Please go to the AWS Management Console, log in to the appropriate account (if AWS Organizations service is in use, log in to the management account) where AWS IAM Identity Center should be configured, select the AWS IAM Identity Center service, choose the region, and press the enable button. You should see something like this:
Figure 2: AWS IAM Identity Center service welcome page
After AWS IAM Identity Center is enabled, you can start setting up the identity source.
- Go to IAM Identity Center > Settings > Change identity source.
- Choose the identity source you want to use. (in our case it would be external identity provider)
Figure 3: Configuring AWS IAM Identity Center service with external identity provider
Figure 4: Configuring Service Provider Metadata in AWS IAM Identity Center
**Your identity provider (IdP) requires the following IAM Identity Center certificate and metadata information to trust IAM Identity Center as a service provider. You can copy and paste this information, type it in the service provider configuration interface for your IdP, or download the IAM Identity Center metadata file and upload it to your IdP.**
For the next steps, to generate IdP metadata, you need to switch to your Google Admin console and use the service provider metadata information to configure AWS IAM Identity Center as a custom SAML application.
Please follow the guide below to set up a custom SAML app using the information provided above.
Set up your own custom SAML app
After completing the required configuration steps, you should see something similar to this.
Figure 5: Configuration Interface for AWS IAM Identity Center as a Service Provider with G Suite as IdP
As configuring AWS IAM Identity Center in G Suite is already done, please return to the browser tab with the AWS IAM Identity Center configuration to complete the configuration on the AWS IAM Identity Center side.
After creating the G Suite application, you can finish the IAM Identity Center setup by uploading the Google IdP metadata in the AWS Management Console.
When you previously configured the custom application in G Suite, you downloaded the IdP SAML metadata file. On the AWS IAM Identity Center configuration page, choose “Choose file” and select the IdP SAML metadata file. Finish this step by choosing “Next”
Figure 6: Uploading identity provider metadata in AWS IAM Identity Center
Review the list of changes, and ONLY then type CONFIRM at the bottom of the page and choose “Change identity source” to complete the setup. You should see something similar to Figure 7: Confirm the changes.
If the setup is finished successfully, you should see something similar to the following output.
Figure 8: Status of Successful Setup Completion
Starting now, you are able to add users, groups, AWS accounts, and permission sets, and make configurations as per your needs. Please visit the following article to accomplish these steps.
Once you have successfully completed all the previously mentioned steps and added yourself and possibly other users to the appropriate groups, it’s time to test your setup and see how it works.
You have the following options:
- Use the AWS access portal URL, which is permanent and resides in AWS IAM Identity Center (Settings).
- If you use Google Chrome as a browser, open it, go to Google Apps, and you will find the AWS IAM Identity Center icon and the name you set up previously.
Figure 9: The icon of AWS IAM Identity Center in Google Apps
I really hope that this article is helpful for the community.
Please share your thoughts and comments. I would also love to hear your feedback and any suggestions for my next article. What would you like to read, test, and use?
Thanks!
