Log in to the AWS Console using your root account or admin IAM user. You will use the AWS Console to configure SSO.
Enter the Admin Console for KeyCloak.
Since KeyCloak does not support syncing users into AWS, you must add a user manually. This can be semi-automated using the API, but outside the scope of this article. We will proceed manually to fully conceptualize the process.
Clicking Command line or programatic access will yield credentials to permission actions associated with the PowerUser role. The inline documentation is pretty complete, I encourage you to read it.
Alternatively there is a link that will provide the graphical console experience.
The traditional approach of creating an IAM user for each person that needs AWS access is tedious, error-prone, and not secure unless you have tight management around users. Creating a central authority of identity is critical for security as a business scales and becomes more reliant on external systems.
This configuration simplifies and fortifies the user on-boarding into AWS over dedicated IAM user accounts in that the distribution of credentials is tied to your organizations identity provider and is automated through a self-service portal.
While this article uses KeyCloak as the Identity Provider there are many commercial offerings that support more advanced features such as SCIM, eliminating the need to manually create a record in the AWS SSO User’s table.
To reiterate this process is still superior to IAM users. During the off-boarding phase, access to credentials is disabled when the user is locked within the identity provider. The record in the AWS SSO Users table only allows a successful auth event when the identity provider provides a valid response. Without the blessing from the IdP, the user will be unable to access the AWS account anymore.
In my setup, I have an internal redirect from https://<fqdn>/aws to the User portal URL. While the User portal URL is customizable, having the ability to control the entire URL is appealing for memory’s sake.
I hope that this may help other people looking for guidance on setup.