Why when creating a new AWS account via the AWS Control Tower Account Factory does an SSO user also need to be created? There is already an email for the root user can through AWS SSO you can assign users/groups anyway, so what purpose does it serve to make an SSO user as well? You may not want a new user, or should I simply put the email of an existing SSO user?
Why do Control Tower Accounts also need an SSO User
1k Views Asked by Derrops At
1
There are 1 best solutions below
Related Questions in AMAZON-WEB-SERVICES
- S3 integration testing
- How to get content of BLOCK types LAYOUT_TITLE, LAYOUT_SECTION_HEADER and LAYOUT_xx in Textract
- Error **net::ERR_CONNECTION_RESET** error while uploading files to AWS S3 using multipart upload and Pre-Signed URL
- Failed to connect to your instance after deploying mern app on aws ec2 instance when i try to access frontend
- AWS - Tab Schema Conversion don't show up after creating a Migration Project
- Unable to run Bash Script using AWS Custom Lambda Runtime
- Using Amazon managed Prometheus to get EC2 metrics data in Grafana
- AWS Dns record A not navigate to elb
- Connection timed out error with smtp.gmail.com
- AWS Cognito Multi-tenant Integration | Ok to use Client’s Idp?
- Elasticbeanstalk FastAPI application is intermittently not responding to https requests
- Call an External API from AWS Lambda
- Why my mail service api spring isnt working?
- export 'AWSIoTProvider' (imported as 'AWSIoTProvider') was not found in '@aws-amplify/pubsub'
- How to take first x seconds of Audio from a wav file read from AWS S3 as binary stream using Python?
Related Questions in AWS-SSO
- Cannot use Spark with AWS profile
- can not use sso with aws client vpn
- awsv2 sso login does not open the default browser on Mac
- How to invalidate the sso access token after log in (logout from AWS)?
- Issue with the AWS SSO setup with the Gossamer3
- AWS SSO - Account Acccess Pattern/Automation
- Accessing AWS using go SDK v2 with local SSO token
- Adding inline policy to access S3 for AWS SSO
- Poetry git dependencies on AWS CodeCommit not working with SSO
- AWS SSO change identity source
- How to get Assertion Consumer Service URL in AWS IAM Identity center using AWS CLI
- AWS IAM user sso login
- Notify user when they are added or removed from aws sso groups
- Custom Logout URL for AWS SSO connected with External Identity via SAML
- Getting all users from AWS identitystore along with status property
Related Questions in AWS-CONTROL-TOWER
- Enrolling AFT-Provisioned Account in a Child OU
- AWS Amplify CLI S3 Properties Contradicts AWS Control Tower Recommendation
- How can I add AWS QuickSight access to the SCPs controlled by Control Tower?
- AWS Control Tower error create account using AWS Control Tower
- AWS SCP to mandate rds encryption with cmk
- AWS Control Tower and KMS Keys
- Control Tower Failing to Re-Register OU and even Account Enrollment
- Implement AWS Cost allocation tags via Account factory for terraform(AFT) or Landing zone accelerator(LZA)
- Baseline Config not deployed in Control Tower regions
- Aws config vs detective guardrails
- Enforce AWS::ElasticLoadBalancingV2::Listener + TLS >= 1.2
- AWS Control Tower could not delete some account trails error
- How to use CloudWatch after Control Tower version 3.0 update
- How do I edit a bucket policy deployed by organizational-level CloudTrail
- AWS CloudShell not working after creating a new account with Control Tower
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
This is something that is not that intuitive, indeed. Feels like a wrong UX.
However, there is a reason behind that. Let's check the docs first:
As we see, the general approach is something like that we could not create a state, where we cannot access the new account by default. So either it will create a new user, or will understand that it is an existing user, and using that.
So you can type your SSO email, and will sort out the PermissionSets later, or you could use a default controltower admin user for just this reason.
You could create a new SSO user for every account too, but to be honest it just sounds wrong. (maybe with email aliases could work, but still unnecessary, redundant)
You could use the same address for root and the correspondent SSO, but it feels counterproductive too.
TL;DR: For me the less painful approach is using my own SSO account, and later tuning the permissionsets. The general approach is perhaps to have a ControlTower shared user, for kind of an account owner and backup user.
The doc: https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.html