Manage AWS IAM Identity Center (SSO) users — create users, assign permission sets, remove IAM, send onboarding/migration emails via SES. Use this skill when onboarding new starters, changing roles, offboarding users, or auditing SSO access.
arn:aws:sso:::instance/ssoins-68041faa362c6274d-9367b36fefeu-west-1https://paperround.awsapps.com/start (also accessible via https://d-9367b36fef.awsapps.com/start)474344676769977099013930[email protected][email protected]eu-west-2@paperround.tech domain[email protected]@paperround.net (being phased out)| Name | ARN | Typical Use |
|---|---|---|
| JuniorDeveloper | ps-6804a576433065d7 | Junior/new developers, dev & QA only |
| Developer | ps-fb5ac14dc8e729f9 | Mid-level developers |
| SeniorDeveloper | ps-6804f66279b5f875 | Senior developers, broader env access |
| InsightsDeveloper | ps-6804a6262f5313ba | Data/insights focused access |
| ProductionSupport | ps-68044b828e69ddab | Prod incident response (ECS restart, Lambda invoke, SQS redrive, SSM sessions) |
| SecurityAdmin | ps-680413133800c917 | Security tooling and audit |
| FinanceAdmin | ps-6804585996d83231 | Billing and cost management |
| ReadOnlyAccess | ps-90e313ba97c05d8a | Read-only across services |
| AdministratorAccess | ps-648f98be299a7032 | Full admin (leads only) |
All permission set ARNs share the prefix arn:aws:sso:::permissionSet/ssoins-68041faa362c6274/
AWS_PAGER="" or pass --output json to avoid paging in CLI calls.eu-west-1.eu-west-2.AWS_PAGER="" aws identitystore create-user \
--identity-store-id d-9367b36fef \
--user-name '[email protected]' \
--name '{"GivenName":"Firstname","FamilyName":"Lastname"}' \
--display-name 'Firstname Lastname' \
--emails '[{"Value":"[email protected]","Type":"work","Primary":true}]' \
--region eu-west-1 --output json
Note the returned UserId — it's needed for permission set assignment.
After creation, the user needs a password set via Identity Center console: Users → select user → Reset password → Send email.
AWS_PAGER="" aws sso-admin create-account-assignment \
--instance-arn 'arn:aws:sso:::instance/ssoins-68041faa362c6274' \
--target-id '<ACCOUNT_ID>' \
--target-type AWS_ACCOUNT \
--permission-set-arn 'arn:aws:sso:::permissionSet/ssoins-68041faa362c6274/<PS_ID>' \
--principal-type USER \
--principal-id '<USER_ID>' \
--region eu-west-1 --output json
AWS_PAGER="" aws sso-admin delete-account-assignment \
--instance-arn 'arn:aws:sso:::instance/ssoins-68041faa362c6274' \
--target-id '<ACCOUNT_ID>' \
--target-type AWS_ACCOUNT \
--permission-set-arn 'arn:aws:sso:::permissionSet/ssoins-68041faa362c6274/<PS_ID>' \
--principal-type USER \
--principal-id '<USER_ID>' \
--region eu-west-1 --output json
# Get user ID
AWS_PAGER="" aws identitystore list-users \
--identity-store-id d-9367b36fef \
--filters 'AttributePath=UserName,[email protected]' \
--region eu-west-1 --output json
# List assignments
AWS_PAGER="" aws sso-admin list-account-assignments-for-principal \
--instance-arn 'arn:aws:sso:::instance/ssoins-68041faa362c6274' \
--principal-id '<USER_ID>' \
--principal-type USER \
--region eu-west-1 --output json
Only after the user has confirmed SSO access is working:
# Check for access keys first
AWS_PAGER="" aws iam list-access-keys --user-name '[email protected]' --output json
# Delete keys if present
AWS_PAGER="" aws iam delete-access-key --user-name '[email protected]' --access-key-id '<KEY_ID>'
# Remove from groups, detach policies, delete login profile, then delete user
AWS_PAGER="" aws iam delete-login-profile --user-name '[email protected]'
AWS_PAGER="" aws iam delete-user --user-name '[email protected]'
# Remove all account assignments first (see step 3), then:
AWS_PAGER="" aws identitystore delete-user \
--identity-store-id d-9367b36fef \
--user-id '<USER_ID>' \
--region eu-west-1
Use a Python script to iterate all SSO users and their assignments:
identitystore list-users to get all userssso-admin list-account-assignments-for-principal per useriam get-user / iam list-access-keys to check legacy IAM statusEmails should be sent from [email protected], CC'd to [email protected], via SES in eu-west-2.
The welcome email should include:
https://paperround.awsapps.com/start@paperround.tech)aws configure sso with session name paperround, start URL, region eu-west-1)aws sso login --profile paperroundAWS_PROFILE=paperround export tip--no-browser option for headless/remote serversFor existing users transitioning from IAM to SSO: