IAM Identity Center now enables programmatic AWS account access for customer managed applications
IAM Identity Center allows customer managed applications to programmatically access AWS accounts on behalf of users, eliminating redundant sign-in prompts after external IdP authentication.
IAM Identity Center now enables customer managed applications to programmatically access AWS accounts on behalf of their users when they authenticate through an external identity provider (IdP). By configuring the IdP as a trusted token issuer (TTI) in IAM Identity Center, users can access their assigned AWS accounts and obtain temporary security credentials for their authorized roles without a separate authentication flow. This eliminates redundant sign-in prompts that previously required users to re-authenticate even after signing in through their external identity provider. This feature is available for organization instances of IAM Identity Center, and administrators must explicitly enable AWS account access for each customer managed application. Only management account administrators or delegated administrators can enable this capability, ensuring centralized governance over which applications can access account-level resources. The feature is available in all commercial AWS Regions, AWS GovCloud (US) Regions, and China Regions.