2024.04
Source & Binary

Onboarding users

When new folks join your company they're probably going to need access to AWS. Here's a quick guide for granting it, depending on which identity provider you use.

After you've added folks to the identity provider per your usual onboarding process for all employees, do the following for each user who needs access to AWS.

Azure AD

  1. Visit https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/\~/AllUsers in a browser (or visit the Azure portal, click Azure Active Directory, and click Users)

  2. Click the user's name

  3. Click Assigned roles in the left column

  4. Click Add assignments

  5. Select “Attribute Assignment Reader” and “Attribute Definition Reader”

  6. Click Add

  7. Click Custom security attributes (preview)

  8. Click Add assignment

  9. Select “AWS” in the Attribute set column

  10. Select “RoleName” in the Attribute name column

  11. Enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)

  12. Click Save

  13. Visit https://portal.azure.com/#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null in that same browser (or visit the Azure portal, click Azure Active Directory, and click Enterprise applications)

  14. Click the name of the application you created above

  15. Click Users and groups in the left column

  16. Click Add user/group

  17. Click Users

  18. Select the user you're onboarding

  19. Click Select

  20. Click Assign

Google Workspace

  1. Visit https://admin.google.com/ac/users (or visit https://admin.google.com and click Users)

  2. Click the user's name

  3. Click User information

  4. In the AWS section, click Add RoleName and paste the name (not the ARN) of the IAM role they should assume in your Substrate account (if it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)

  5. Click SAVE

Okta

  1. Visit your Okta admin panel in a browser

  2. Click the hamburger menu

  3. Click People in the Directory section

  4. Click the user's name

  5. Click Profile

  6. Click Edit

  7. In the AWS_RoleName input, enter the name (not the ARN) of the IAM role they should assume in your Substrate account (“Administrator” for yourself as you're getting started; if for others it's not “Administrator” or “Auditor”, ensure you've followed adding non-Administrator roles for humans first)

  8. Click Save

  9. Click the hamburger menu

  10. Click Applications in the Applications section

  11. Click the name of your Intranet application

  12. Click the Assignments tab

  13. Click Assign and then Assign to People

  14. Select your new folks

  15. Click Assign

PreviousAdding custom IAM roles for humans or servicesNextOffboarding users