Google Workspace (formerly known as GSuite) is a typical first service for companies embracing the cloud, especially startups. Google Workspace provides out-of-the-box services like email, calendar, file storage, and user identity. Google also provides a service called Google Cloud Service (GCP) for business logic or computing workloads; however, companies prefer to use other vendor offerings.
Then here comes Amazon Web Services (AWS), one of the prominent cloud computing vendors with various service offerings. The challenge is using the user identity from Google Workspace to use Amazon Web Services (AWS).
In this post, we walk you through setting up the Google Workspace IdP for the AWS IAM Identity Center.
Authentication Flow Diagram
Created with mermaid.js
How the Authentication Works
- A user with a
Google Workspaceaccount opens the link
AWS access portalURL for an
AWS IAM Identity Centerenabled.
- The user will be redirected to
Google Workspaceif not yet authenticated; the user will log in using the
- A response created if successfully logged in and sent to
AWS IAM Identity Centercontains
SAML assertion, the
Authentication, Authorization, and User Profiles.
- The response from
AWS IAM Identity Centerdetermines the user to use the portal, and successful login shows.
- The user can select the
AWS Organization Accountand
Permission Seton the
AWS user portalpage.
Prepare the AWS IAM Identity Center
For initially setting AWS Account, enable or create first the AWS Organization.
From the Account Menu (upper right corner of AWS Console, which appears to be your Account Name), open the Organization.
If the organization successfully enabled or created, you will list your AWS Accounts; for now, we have the main account.
AWS IAM Identity Center
Enable the AWS IAM Identity Center.
From the Services Menu (upper left corner of AWS Console, next to the AWS Logo), select Security, Identity, & Compliance and open the IAM Identity Center (successor to AWS Single Sign-On)
Configure the AWS IAM Identity Center
Once enabled, select the Choose your identity source.
Change the Identity Source
By default, AWS uses the
Internal Identity as the source.
Choose identity source
External identity provider as our new source.
Configure external identity provider
metadata file or take note of the
IdP metadata, as we will use it later on
Google Workspace Custom SAML App.
Let’s partially move to Google Workspace for Custom SAML App.
Google Workspace Custom SAML App
Add Custom SAML App
Google Workspace Admin Console, select the
Apps, then open the
Web and mobile apps.
Add custom SAML app from the
Add app menu.
Google App Details
Provide meaningful details for the app.
Google Identity Provider Details
Google Workspace IdP metadata or take note of the
IdP details as we will use it to complete the configuration for
AWS external identity provider.
Google Service Provider Details
From the AWS external identity provider, downloaded IdP metadata provides the following details as our service provider.
Finish the Custom SAML App Creation
Skip the attribute mapping and finish the custom
SAML App creation.
Custom SAML App Configuration
Configure the application
User Access Settings
Change the service status
ON for everyone.
Let’s move back to AWS’s external identity provider configuration.
Finalized the configuration for the external identity provider
Google Workspace Custom SAML app downloaded
IdP Metadata as our
AWS IdP provider to establish trust.
Confirm the configuration for the external identity provider.
Review the changes, and confirm with
ACCEPT to complete the change IdP source.
Manage IAM Identity Center Accounts
Groups and Users
To test if the External IdP setup works, create groups and users based on the Google Workspace directory.
Create a Group
Create a User
Create a set of permissions to serve as a role for the group of users and the policy attached to it.
AWS Organizations Accounts
Login to AWS Console with Google Workspace Credential
AWS access portal URL
AWS IAM Identity
AWS Management Console
We now have a fully working External IdP provided by Google Workspace Directory for our AWS Users.