AWS Logo
Menu
AWS IAM Identity Center with Google Workspace

AWS IAM Identity Center with Google Workspace

Integrate AWS IAM Identity Center with Google Workspace for secure, seamless login. Simplify access management with this step-by-step guide.

iam-identity-centreaws-iam
Ishan Udayanga
Published Apr 14, 2025

🔍 Introduction

As cloud adoption accelerates, managing user identities across platforms securely and efficiently is critical. Many organizations already rely on Google Workspace (formerly G Suite) for productivity and identity management. Integrating it with AWS IAM Identity Center (formerly AWS SSO) allows seamless user authentication across multiple AWS accounts—using the same Google credentials your users are familiar with.
In this guide, I’ll walk you through configuring Google Workspace as a SAML 2.0 identity provider (IdP) for AWS IAM Identity Center. Whether you're managing a single AWS account or a complex AWS organization, this setup helps centralize access control, reduce security risk, and enhance user experience.

🎯 Why Integrate AWS IAM Identity Center with Google Workspace?

  • Centralized Identity Management: Manage all users in Google Workspace—no need to create and manage separate IAM users in AWS.
  • Enhanced Security: Utilize short-lived credentials via SAML federation, reducing exposure from static credentials.
  • Improved User Experience: Users access AWS through a single login using familiar credentials.
  • Scalable Across AWS Organizations: Assign permission sets for seamless access to multiple AWS accounts.
This integration is perfect for teams already embedded in the Google ecosystem and looking to enhance their AWS access control strategy.

🧰 Prerequisites

To complete this integration, you’ll need:
  • An AWS account with admin access and IAM Identity Center enabled.
  • An AWS Organization (required for IAM Identity Center).
  • A Google Workspace domain with super admin access.
  • Familiarity with SAML 2.0, Google Admin Console, and AWS IAM concepts.

🛠️ Step-by-Step Integration

✅ Step 1: Enable IAM Identity Center in AWS

  1. Sign in to the AWS Management Console with your management account.
  2. Go to IAM Identity Center → Click Enable.
  3. Note your **user portal URL—**this is the login entry point for users.

🔁 Step 2: Prepare AWS Metadata for Google

  1. In IAM Identity Center, go to Settings → Identity source.
  2. Click Change identity source → External identity provider.
  3. Select SAML 2.0 and expand the service provider metadata.
  4. Copy the
    • AWS SSO ACS URL
    • AWS SSO Issuer URL
  5. Download the AWS metadata XML —you’ll upload it to Google next.

🏢 Step 3: Configure SAML App in Google Workspace

  1. Open the Google Admin Console (admin.google.com).
  2. Go to Apps → Web and mobile apps → Add App → Add a custom SAML app.
  3. Name the app (e.g., “AWS IAM Identity Center”) and click Continue.
  4. On the IdP metadata page:
    • Download the Google IdP metadata file.
    • Click Continue.
  5. On the Service Provider Details page:
    • ACS URL: Paste the value from AWS.
    • Entity ID: Use the AWS Issuer URL.
    • Name ID format: Select EMAIL.
    • Name ID: Choose Primary email.
  6. Skip attribute mapping for now unless you plan to map roles or groups.
  7. Enable the app for users under User Access → Turn ON for everyone → Save.

☁️ Step 4: Upload Google Metadata to AWS

  1. Return to AWS IAM Identity Center.
  2. Upload the Google metadata file or enter the SSO URL and Entity ID manually.
  3. Click Next, then type CONFIRM to finalize the identity source switch.

🔐 Step 5: Create Permission Sets in IAM Identity Center

Permission sets define what a user can access across AWS accounts.
  1. Go to Permission setsCreate permission set.
  2. Choose either:
    • AWS managed policies (e.g., ReadOnlyAccess)
    • Or create custom policies for tailored access
  3. Name and configure the permission set.
  4. Repeat for additional roles like AdminAccess, BillingAccess, etc.

👥 Step 6: Assign Users or Groups

  1. Go to AWS Accounts in IAM Identity Center.
  2. Select the target AWS account.
  3. Click Assign users or groups.
  4. Add users by email (matching their Google Workspace accounts).
  5. Assign them to appropriate permission sets.
  6. Save the assignment.

🧪 Step 7: Test the Integration

  1. Open an incognito browser.
  2. Navigate to your IAM Identity Center User Portal URL.
  3. Sign in with your Google Workspace credentials.
  4. Verify that you:
    • Are redirected to Google login
    • Can view and select roles
    • Gain access to the AWS Console

🛠️ Troubleshooting Tips

ProblemSolution
❌ Login failsDouble-check ACS URL & Entity ID match on both sides.
🚫 Access deniedMake sure the user is assigned a permission set and AWS account.
⚠️ SAML errorEnsure SAML app is enabled and metadata is correctly configured.
⏳ Propagation delaysAllow some time for Google app access to take effect.

✅ Best Practices

  • Least Privilege: Only assign the access needed—use ReadOnlyAccess for auditing, avoid blanket AdministratorAccess.
  • Use Groups: Map Google groups to AWS permission sets for scalable access management.
  • Enable MFA: Protect Google Workspace accounts with 2FA/MFA.
  • Audit Everything: Enable CloudTrail to monitor identity access.

🧩 Conclusion

By integrating AWS IAM Identity Center with Google Workspace, you’re not just simplifying access—you’re elevating security, reducing operational overhead, and creating a unified identity platform. It’s a powerful move for growing organizations who prioritize security and usability.
As an AWS Community Builder, I encourage you to test this setup in a dev environment, explore advanced configurations like SCIM or attribute-based access control, and share your insights with others in the cloud community.

🔗 Resources

Comments