Onboarding users
When new folks join your company they’re probably going to need access to AWS. Here’s a quick guide for granting it, depending on which identity provider you use.
After you’ve added folks to the identity provider per your usual onboarding process for all employees, do the following for each user who needs access to AWS.
Azure AD
- Visit https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/\~/AllUsers in a browser (or visit the Azure portal, click Azure Active Directory, and click Users)
- Click the user’s name
- Click Assigned roles in the left column
- Click Add assignments
- Select “Attribute Assignment Reader” and “Attribute Definition Reader”
- Click Add
- Click Custom security attributes (preview)
- Click Add assignment
- Select “AWS” in the Attribute set column
- Select “RoleName” in the Attribute name column
- Enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you’re getting started; if for others it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
- Click Save
- Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null in that same browser (or visit the Azure portal, click Azure Active Directory, and click Enterprise applications)
- Click the name of the application you created above
- Click Users and groups in the left column
- Click Add user/group
- Click Users
- Select the user you’re onboarding
- Click Select
- Click Assign
Google Workspace
- Visit https://admin.google.com/ac/users (or visit https://admin.google.com and click Users)
- Click the user’s name
- Click User information
- In the AWS section, click Add RoleName and paste the name (not the ARN) of the IAM role they should assume in your Substrate account (if it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
- Click SAVE
Okta
- Visit your Okta admin panel in a browser
- Click the hamburger menu
- Click People in the Directory section
- Click the user’s name
- Click Profile
- Click Edit
- In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you’re getting started; if for others it’s not “Administrator” or “Auditor”, ensure you’ve followed adding non-Administrator roles for humans first)
- Click Save
- Click the hamburger menu
- Click Applications in the Applications section
- Click the name of your Intranet application
- Click the Assignments tab
- Click Assign and then Assign to People
- Select your new folks
- Click Assign