Thank you for the great video. Any idea if it is possible to automate the process to auto refresh the temporary credentials? If we want to try out SSM with SSO, if we do aws configure sso and set up profile, every time it asks for approval from browser. Any way we can automate this to avoid browser approvals?
what about if we want to terraform apply(CI) on specific AWS account? would you create an SSO user like e.x. deployer from which you would run aws sso get-role-credentials to get temporary credentials and apply terraform?
Depend on your CI solution. If you use GitHub, you can use docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Absolutely great video ! One question if we don't have AWS organizations setup, we can still work with this setup for the same account right ? Also as recommendation, would have been cherry on top if you could add On prem AD as identity provider as that's the most common use case. Thanks again !
Your AWS account must be managed by AWS Organizations. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you.
Great video tutorial, thank you. Quick question, how do I use an SSO user to login with long-term credential? I have an API that needs to login to AWS to view data of a KDS. This is an automated process and so I need to use a proxy account coming from identity source (Azure AD in our case), however all the AWS docs I found only use IAM with short-term credential. Any idea? Thanks in advance.
So, is AWS SSO not advised for larger businesses? We use IAM with an identity account with users and groups and need to assume roles in other accounts. The process isn't very smooth IMO. We have over 400 engineers. Thanks for the great content!
@@cloudonaut should we create the IAM roles for all engineers again manually? or there is a way i can migrate current roles from iam users and groups roles to SSO ?
@@modesoliman Not sure what you mean be creating roles manually. The roles are fully managed via SSO (see permission sets docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html).
@@cloudonaut i mean if users have custom roles not the predefined , should i recreate them manually or there is a way so i can migrate them from iam to sso console?
I want to use those access key and secret key in python script to connect with Boto3 ,can you please help how can i write such a python code to work with AWS services with SSO
Copy&Paste the environment variables from AWS SSO or check out stackoverflow.com/questions/62311866/how-to-use-the-aws-python-sdk-while-connecting-via-sso-credentials.
This is the best explanation I've seen of SSO
+1
This gives me "My name is Giovanni Giorgio, but everybody calls me Giorgio" vibes. By the way, thanks for the great video!
so we put a click on the 24-track
That was so clear and well explained. Thanks for sharing
Thanks a lot for your motivating feedback!
The Organisation is created from the AWS root account so I guess the SSO should be activated from the AWS root account where the Organisation exists?
Yes, root account or a delegated admin account, see docs.aws.amazon.com/singlesignon/latest/userguide/delegated-admin.html
Thank you for the great video. Any idea if it is possible to automate the process to auto refresh the temporary credentials? If we want to try out SSM with SSO, if we do aws configure sso and set up profile, every time it asks for approval from browser. Any way we can automate this to avoid browser approvals?
Thanks for the feedback. I'm not aware of a way to automate refreshing the credentials.
Thank you for sharing. Really appreciate it.
Glad you enjoyed it!
SSO is supported not in all AWS regions. So SSO can not be used if using the unsupported region is required?
You can still use all AWS regions. But SSO can only be deployed into some of them. See docs.aws.amazon.com/singlesignon/latest/userguide/regions.html
@@cloudonaut and italy??
what about if we want to terraform apply(CI) on specific AWS account? would you create an SSO user like e.x. deployer from which you would run aws sso get-role-credentials to get temporary credentials and apply terraform?
Depend on your CI solution. If you use GitHub, you can use docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Thanks for sharing! Really helpful.
Great explanetion
Glad you liked it
Thanks for clarity,,,still, I have one doubt,,, if OU already has SCP then is it possible to integrate sso with OU with new permission sets ?
You are mixing two distinct topics: SSO permission polices are used to generate IAM roles/policies an SCP are in effect above that.
Very great and usefull video
Thank you!
Great work, thanks
Thank you!
Absolutely great video !
One question if we don't have AWS organizations setup, we can still work with this setup for the same account right ?
Also as recommendation, would have been cherry on top if you could add On prem AD as identity provider as that's the most common use case.
Thanks again !
Your AWS account must be managed by AWS Organizations. If you haven't set up an organization, you don't have to. When you enable IAM Identity Center, you will choose whether to have AWS create an organization for you.
What if your not getting connected to the AWS console after you select your accou to login? What to troubleshoot?
I recommend to open your browser's developer tools and check the error codes and messages of the outgoing HTTPS requests.
Great video tutorial, thank you. Quick question, how do I use an SSO user to login with long-term credential? I have an API that needs to login to AWS to view data of a KDS. This is an automated process and so I need to use a proxy account coming from identity source (Azure AD in our case), however all the AWS docs I found only use IAM with short-term credential. Any idea? Thanks in advance.
Not possible.
How do you guys not have more subscribers!?
We are working on it :)
Really superb - Thank you
Our pleasure!
I cant register a new account to access at the aws service! Where is the bug? Please help, i cant use aws amazon
Sorry, we cannot help with that. Please contact AWS support.
Awesome explanation. Thanks!
Great! Are you using AWS SSO already?
tks a lot, very god video
Good content, thank you
So, is AWS SSO not advised for larger businesses? We use IAM with an identity account with users and groups and need to assume roles in other accounts. The process isn't very smooth IMO. We have over 400 engineers. Thanks for the great content!
You can use SSO in larger orgs as well these days. Likely in combination with (Azure) AD.
@@cloudonaut should we create the IAM roles for all engineers again manually? or there is a way i can migrate current roles from iam users and groups roles to SSO ?
@@modesoliman Not sure what you mean be creating roles manually. The roles are fully managed via SSO (see permission sets docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html).
@@cloudonaut i mean if users have custom roles not the predefined , should i recreate them manually or there is a way so i can migrate them from iam to sso console?
@@modesoliman It is possible to copy the IAM policies from your IAM roles to AWS SSO.
I want to use those access key and secret key in python script to connect with Boto3 ,can you please help how can i write such a python code to work with AWS services with SSO
Copy&Paste the environment variables from AWS SSO or check out stackoverflow.com/questions/62311866/how-to-use-the-aws-python-sdk-while-connecting-via-sso-credentials.
can you migrate the current IAM users to AWS SSO?
We are not aware of a way to migrate IAM users to SSO, unfortunately.
@@cloudonaut Got it thanks!
Rename this video to "SSO MasterClass"
Thanks a lot for your feedback! :D
great explanation! Thanks!
Excellent video, thank you!
Thanks a lot for your feedback!