IAM

What is an IAM Identity Provider? An IAM Identity Provider is a configuration in AWS that tells IAM “trust this external identity system.” It lets users authenticated by external systems (Google, Okta, GitHub Actions, etc.) get temporary AWS credentials without creating IAM users. Key Concepts Concept What it is Identity Provider (IdP) External system that authenticates users (Google, Okta, Azure AD, etc.) Service Provider (SP) System that trusts the IdP and provides resources (AWS in this case) Federation Linking identities across different systems—user logs in once, accesses multiple systems Trust Relationship AWS saying “I believe what this IdP tells me about users” OIDC Provider IAM entity for trusting OpenID Connect-based IdPs SAML Provider IAM entity for trusting SAML 2.0-based IdPs OIDC vs SAML OIDC (OpenID Connect): Modern, JSON/REST-based protocol—used by web apps, mobile apps, and programmatic access (GitHub Actions, EKS pods, Cognito) SAML 2.0: XML-based enterprise protocol—used for browser-based SSO to AWS Console (Okta, Azure AD, corporate SSO) Trust Anchor When you create an IAM Identity Provider, you get: ...