Why when creating a new AWS account via the AWS Control Tower Account Factory does an SSO user also need to be created? There is already an email for the root user can through AWS SSO you can assign users/groups anyway, so what purpose does it serve to make an SSO user as well? You may not want a new user, or should I simply put the email of an existing SSO user?
Why do Control Tower Accounts also need an SSO User
1k Views Asked by Derrops At
1
There are 1 best solutions below
Related Questions in AMAZON-WEB-SERVICES
- "Access Denied" - User's Permissions to S3 Bucket
- Cohort analysis with Amazon Redshift / PostgreSQL
- Using Amazon KMS service on Heroku
- can't ssh in after cloning an EC2 instance on Amazon AWS
- Using HDFS with Apache Spark on Amazon EC2
- How can I access Mule ESB Community edition via browser?
- AWS EC2: Migrating from Windows to Linux Server
- AWS ELB Load Balancer: is it possible to set multiple session cookies?
- AWS Flow Framework: Can we run activity worker and activity task on different EC2 instances
- Unable to access files from public s3 bucket with boto
- Cloudfront stream only part of the video
- s3cmd not working as cron-task when echos/dates are added
- How to deploy django 1.8 on Elastic Beanstalk using Docker
- InstanceProfile is required for creating cluster - create python function to install module
- How to fix WordPress HTTPS issues when behind an Amazon Load Balancer?
Related Questions in AWS-SSO
- Accessing AWS using go SDK v2 with local SSO token
- AWS SSO - Account Acccess Pattern/Automation
- Issue with the AWS SSO setup with the Gossamer3
- How to invalidate the sso access token after log in (logout from AWS)?
- Is there a way to 'remove' some actions from a managed policy using another managed policy for AWS IAM
- saml - how to return group name of a user belong to?
- AWS SSO fingerprint not working on Safari or Firefox
- Many aws sso-admin commands failing with 403
- Disable programatic access for AWS SSO user
- AWS SSO for external client AWS accounts not in an organization - Best Practices
- How to configure aws sso for terraform?
- AWS SSO provision permission set automatically through cloudformation
- Allocate AWS SSO Permission Set to Groups in Accounts
- How to remove a permission set for a User in IAM Identity Center
- AWS Identity Center without User Provisioning
Related Questions in AWS-CONTROL-TOWER
- Control Tower Life Cycle Events
- AWS Enable EBS Encryption via cloudformation
- How do I use AWS Control Tower but ignore the AWS SSO feature in favor of a custom ADFS approach?
- Setting up individual developer accounts in AWS Landing zone seup
- AWS Control Tower failed to set up your landing zone completely: ... because the log group already exists
- How to run aws-nuke across 2 different AWS organizations
- "Templates with transforms requires capabilities: CAPABILITY_AUTO_EXPAND" During Control Tower Customization deployment
- AWS Control Tower Automation
- How do I unsubscribe my AWS organization from CloudTrail?
- AWS Control Tower and Organizations
- AWS Control Tower setup failed
- How to configure automate_aws_accounts_creation_sso_users_assignment.yaml to run in a region of my choice?
- Cannot provision Control Tower Account Factory SC Product via Terraform
- aws-controltower-GuardrailsComplianceAggregator does not have access to config data from enrolled accounts
- AWS CloudShell not working after creating a new account with Control Tower
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
This is something that is not that intuitive, indeed. Feels like a wrong UX.
However, there is a reason behind that. Let's check the docs first:
As we see, the general approach is something like that we could not create a state, where we cannot access the new account by default. So either it will create a new user, or will understand that it is an existing user, and using that.
So you can type your SSO email, and will sort out the PermissionSets later, or you could use a default controltower admin user for just this reason.
You could create a new SSO user for every account too, but to be honest it just sounds wrong. (maybe with email aliases could work, but still unnecessary, redundant)
You could use the same address for root and the correspondent SSO, but it feels counterproductive too.
TL;DR: For me the less painful approach is using my own SSO account, and later tuning the permissionsets. The general approach is perhaps to have a ControlTower shared user, for kind of an account owner and backup user.
The doc: https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.html