Skip to main content
← Back to index page


IAM upgrades: SSO Permission Sets as Teams, SourceIdentity support, region independence


  • Enable SSO Permission Sets to function as teams
  • Allow SAML sign on via any regional endpoint, not only us-east-1
  • Allow use of AWS "Source Identity" for SAML and SSO users (not enabled for OIDC)


  • Reduce the friction between SSO permission sets and SAML roles by allowing people to use either interchangeably. (Almost. SSO permission sets do not yet have the same permissions as SAML roles in the identity account itself.)
  • Enable continued access in the event of a regional outage in us-east-1 as happened recently
  • Enable auditing of who is using assumed roles


Upgrade notes

The regional endpoints and Source Identity support are non-controversial and cannot be disabled. They do, however, require running terraform apply against aws-saml, aws-teams, and aws-team-roles in all accounts.

AWS SSO updates

To enable SSO Permission Sets to function as teams, you need to update account-map and aws-sso, then apply changes to

  • tfstate-backend
  • aws-teams
  • aws-team-roles
  • aws-sso

This is all enabled by default. If you do not want it, you only need to update account-map, and add account-map/modules/roles-to-principles/ in which you set overridable_team_permission_sets_enabled to default to false

Under the old iam-primary-roles component, corresponding permission sets were named Identity<role>RoleAccess. Under the current aws-teams component, they are named Identity<role>TeamAccess. The current account-map defaults to the latter convention. To use the earlier convention, add account-map/modules/roles-to-principles/ in which you set overridable_team_permission_set_name_pattern to default to "Identity%sRoleAccess"

There is a chance the resulting trust policies will be too big, especially for tfstate-backend. If you get an error like

Cannot exceed quota for ACLSizePerRole: 2048

You need to request a quota increase (Quota Code L-C07B4B0D), which will be automatically granted, usually in about 5 minutes. The max quota is 4096, but we recommend increasing it to 3072 first, so you retain some breathing room for the future.


Pull Requests