Hey everyone! I'm working with about 25 AWS accounts in my organization, and we're using Okta as our identity provider along with AWS Identity Center for managing roles. I'm trying to figure out how the approval process works when users request additional permissions on their permission sets. Sometimes these requests involve cross-account access, which complicates things since multiple teams manage resources within a single account. Typically, the user's manager approves access, but we also need approval from the team owner due to our team-based permission sets. I'm curious to know if there are other effective processes that different organizations use for managing these approval flows.
2 Answers
With Okta, you can set it up so users can assume roles, which is something that should be standard practice since it allows for better tracking and auditing. Just create a new assumable role for any user needing it. This way, you manage IAM permissions at the role level while still managing user permissions on the Okta/Active Directory level.
I'm actually trying to understand the governance approval flow you mentioned.
We handle our changes with Terraform and require all modifications to go through a GitHub pull request. This has to be approved by our platform engineering team that manages all the Infrastructure as Code and AWS accounts. Do you not have a dedicated team that manages identities or authentication for your company? If not, it seems more like a process issue than a technical one.
We do have AWS account owners, but not all resources in AWS have specific owners. For example, permissions related to SNS or SQS could be ambiguous.
Once permissions are approved, who applies them? Is it handled by the platform team?
They mentioned using IAM Identity Center, so ideally, they shouldn't need to rely on traditional IAM roles for user access.