Why do Control Tower Accounts also need an SSO User

Question

Why when creating a new AWS account via the AWS Control Tower Account Factory does an SSO user also need to be created? There is already an email for the root user can through AWS SSO you can assign users/groups anyway, so what purpose does it serve to make an SSO user as well? You may not want a new user, or should I simply put the email of an existing SSO user?

Answer 1

This is something that is not that intuitive, indeed. Feels like a wrong UX.

However, there is a reason behind that. Let's check the docs first:

The SSOUserEmail can be a new email address, or the email address associated with an existing IAM Identity Center user. Whichever you choose, this user will have administrative access to the account you're provisioning.

The AccountEmail must be an email address that isn't already associated with an AWS account. If you used a new email address in SSOUserEmail, you can use that email address here.

As we see, the general approach is something like that we could not create a state, where we cannot access the new account by default. So either it will create a new user, or will understand that it is an existing user, and using that.

So you can type your SSO email, and will sort out the PermissionSets later, or you could use a default controltower admin user for just this reason.

---

You could create a new SSO user for every account too, but to be honest it just sounds wrong. (maybe with email aliases could work, but still unnecessary, redundant)

You could use the same address for root and the correspondent SSO, but it feels counterproductive too.

TL;DR: For me the less painful approach is using my own SSO account, and later tuning the permissionsets. The general approach is perhaps to have a ControlTower shared user, for kind of an account owner and backup user.

The doc: https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.html