Menu
I'm fairly new to AWS Organizations and SSO and I seem to be missing something when it comes to setting up a user.
I've set-up AWS Organizations and SSO OK, and created some OUs and created AWS Accounts within them. I have also sucessfully used SSO to create a new User and assigned them to the PowerUsers Group. The user power-group-user can login fine, and create cloud resources such as EC2s.
But what they can't do is find or create programmatic access keys (AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY). Which seems to be a glaring omission from their capabilities.
Have I missed a step in the user set-up, or am I supposed to explicitly grant them permissions for this? It just seems odd that a PowerUser can't generate access keys.
UPDATE to my original question. I have tracked down the missing keys, of sorts. This AWS Blog describes how when you logon via the SSO Console, you get two options for each account: 1) Console Access or 2) Command line or programmatic access. If you choose the latter then you are able to obtain temporary access keys (by default good for 1 hour) directly from the console.
So I guess my question has now changed to: is this how it works with SSO? That is temporary credentials only? I'm guessing that is the case, because I think with SSO I'm assuming Roles, and therefore all credentials will be temporary.
988
If you're using the "Power users" managed policy, that does not give access to IAM which is where you'd create access keys, etc..
Power user description: Provides full access to AWS services and resources, but does not allow management of Users and groups.
175
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
