IAM Identity Center has released a new SDK plugin that simplifies AWS resource authorization for applications that authenticate with external identity providers (IdPs) such as Microsoft EntraID, Okta, and others. The plugin which supports trusted identity propagation (TIP), streamlines how external IdP tokens are exchanged for IAM Identity Center tokens. These tokens enable precise access control to AWS resources (e.g., Amazon S3 buckets) leveraging user and group memberships as defined in the external IdP.
The new SDK plugin automates the token exchange process eliminating the need for complex, custom-built workflows. Once configured, it seamlessly handles the IAM Identity Center token creation and the generation of user identity-aware credentials. These credentials can be used for creating identity-aware IAM role sessions while requesting access to different AWS resources. Currently available for Java 2.0 and JavaScript v3 SDK, this TIP plugin is AWS’s recommended solution for implementing user identity-aware authorization.
IAM Identity Center enables you to connect your existing source of workforce identities to AWS once, and access the personalized experiences offered by AWS applications such as Amazon Q, define and audit user identity-aware access to data in AWS services, and manage access to multiple AWS accounts from a central place. For instructions on installation of this plug-in, see here . For an example of how Amazon Q business developers can integrate into this plugin to build user identity-aware GenAI experiences, see here . This plugin is available at no additional cost in all AWS Regions where IAM Identity Center is supported.