Hey everyone! It's been a while since I've explored best practices for AWS credential management. I'm particularly interested in how you handle Just-In-Time (JIT) temporary credentials for developer access. It would be awesome to integrate this process with Slack. Do you think IAM Identity Center is sufficient for managing these requests, or do you rely on any third-party tools? Looking forward to your insights! Cheers!
2 Answers
I suggest using IAM Identity Center for human access, ideally integrated with your identity provider like Azure AD or Okta. For any service accounts or AWS services, it's best to use IAM roles. And remember, you should totally avoid IAM users—they're not needed at all.
Absolutely, using IAM Identity Center with AWS CLI SSO login is a solid approach! You can set up profiles mapped to specific roles to manage different permission sets depending on the task. This method works really well for transitioning to STS role-based access in production environments with EKS, ECS, EC2, and Lambda processes.
Thanks for the input! I just updated my question to include potential integration with Slack—do you know if that’s possible? Maybe through AWS ChatBot?
Just a heads up: IAM Identity Center uses SCIM for PIM/JIT access from Entra ID, but if you have a lot of developers, it might run into rate limits on Entra's side, causing delays of about 40 minutes for access, as mentioned in the AWS docs. Personally, I prefer direct federation from Entra. Okta can also help with JIT integration.
Yeah, combining Identity Center with roles is sufficient; you can achieve JIT through Slack with temporary permission assignments. SCIM from Okta or Azure AD works well too. I set up a slash command that connects to API Gateway and Lambda to manage account assignments. Plus, for workloads, using GitHub or GitLab's OIDC is a good strategy to keep everything manageable, with admin break-glass users having MFA. In short, stick with Identity Center and roles—no need for IAM users!