AWS recently introduced IAM Identity Center APIs to create users and groups at scale. Administrators can use these new APIs to manage identities programmatically and gain visibility into users in the Identity Center directory.
Previously known as AWS SSO, IAM Identity Center supports the direct creation and management of users and groups and can be connected to existing sources and providers such as Microsoft Active Directory, Okta Universal Directory, or Azure AD. For audit and reconciliation purposes, the cloud provider introduced new Identity Center directory APIs to retrieve users and their group memberships. Sharanya Ramakrishnan, senior tech product manager at AWS, Bala KP, senior solutions architect at AWS, and Siva Rajamani, enterprise solutions architect at AWS, write:
As your enterprise grows, you may want to automate your administrative tasks to reduce manual effort, save time, and scale efficiently. If you’re a cloud administrator or IT administrator who manages which employees in your organization need access to AWS as part of their job role, or what AWS resources they need so they can develop applications, now you can set up automated workflows that manage this for you.
The ability to manage users and groups at scale has been a long term request from the community. Rowan Udell, principal solutions architect at Stax, tweets on the importance of a centralized service:
Always use AWS SSO/Identity Center. Always. If you have IAM users, get rid of them. If you're following a guide that says "Create an Administration user", don't. Friends don't let friends use IAM users. All roles. All the time.
Built on the per-account functionalities of AWS IAM and the multi-account features of AWS Organizations, the managed service removes the effort of federating and managing permissions separately for each AWS account. Ramakrishnan, KP, and Rajamani add:
If you use IAM Identity Center with a supported identity provider (IdP) or Microsoft Active Directory (AD), you may want to check if the right users and groups have synced into IAM Identity Center. You can do this manually, but now you can use the new APIs to make the process easier by setting up automated checks that query this information from IAM Identity Center and notify you only when you need to intervene.
IAM Identity Center can manage workforce sign-in and access to all accounts in an AWS Organization, with the possibility to delegate the administration to a member account. In a popular Reddit thread, user matheuscbjr highlights one of the use cases of the new APIs:
I had a demand to generate reports and automations based on users and groups in the old AWS SSO, at that time this was not possible and for that I had to get this information directly from AD via LDAP.
Other users argue instead that IAM Identity Center is not yet SCIM compliant and that it is easier to push users and groups from other identity and access management services.
IAM Identity Center is a free AWS service. The cloud provider updated the IAM Identity Center User Guide and the Identity Store API Reference Guide to provide more information about the new APIs.