Identity and Access Management (IAM) in AWS has three general types: Users, Groups, and Roles. Users are similar to users in other systems. They are typically assigned to individuals, can be assigned permissions, passwords, and API keys. Roles are another construct that can be assigned to AWS resources like virtual machines (EC2). They can also be assigned permissions, but cannot be assigned long-term API keys like users can. Finally, groups are collections of users that have common permissions.


The University of Iowa uses Federation for users on campus. This means that there is a common identity - your HawkID - that you can use to log in to your computer, your email, internal applications, and AWS. Previously you could only log in to the AWS console using your HawkID, but it is now possible to use the AWS command line interface (CLI) with this identity. This was the final hurdle in aligning the central AWS service offering with the Enterprise Authentication, Authorization, and Access Policy. When you log in to the AWS CLI with your HawkID, you get a session that lasts for 8 hours. If you have more than one AWS account or multiple roles within an AWS account you will be given an opportunity on login to choose which account or role you would like to use.


There are cases where an IAM user might be the most appropriate mechanism to use. For example, there are AWS services that do not support Federated Users. In other cases, there may be a need to push data from on campus resources to AWS. In these cases, you can request that the Cloud Services create a user in your AWS account. We will work with you to scope the permissions appropriately.


To learn how to install the AWS CLI for Federated users please see our support article here.

Article number: 
Last updated: 
February 15, 2023