Onboarding users
When new folks join your company they're probably going to need access to AWS. Here's a quick guide for granting it, depending on which identity provider you use.
After you've added folks to the identity provider per your usual onboarding process for all employees, do the following for each user who needs access to AWS.
Azure AD
Visit https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/\~/AllUsers in a browser (or visit the Azure portal, click Azure Active Directory, and click Users)
Click the user's name
Click Assigned roles in the left column
Click Add assignments
Select “Attribute Assignment Reader” and “Attribute Definition Reader”
Click Add
Click Custom security attributes (preview)
Click Add assignment
Select “AWS” in the Attribute set column
Select “RoleName” in the Attribute name column
Enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click Save
Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null in that same browser (or visit the Azure portal, click Azure Active Directory, and click Enterprise applications)
Click the name of the application you created above
Click Users and groups in the left column
Click Add user/group
Click Users
Select the user you're onboarding
Click Select
Click Assign
Google Workspace
Visit https://admin.google.com/ac/users (or visit https://admin.google.com and click Users)
Click the user's name
Click User information
In the AWS section, click Add RoleName and paste the name (not the ARN) of the IAM role they should assume in your Substrate account (if it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click SAVE
Okta
Visit your Okta admin panel in a browser
Click the hamburger menu
Click People in the Directory section
Click the user's name
Click Profile
Click Edit
In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)
Click Save
Click the hamburger menu
Click Applications in the Applications section
Click the name of your Intranet application
Click the Assignments tab
Click Assign and then Assign to People
Select your new folks
Click Assign
Last updated