AWS Identity Center
Manage temporary elevated access in AWS IAM Identity Center
AWS IAM Identity Center (formerly AWS Single Sign-On) is the recommended service for managing workforce access to multiple AWS accounts and applications. It provides a central place to assign users and groups temporary, permission-scoped access to AWS accounts using permission sets — without creating long-lived IAM credentials.
With AWS IAM Identity Center, you can:
- Provision account assignments: Grant a user or group access to a specific AWS account with a specific permission set — the core primitive of temporary elevated access
- Revoke access on demand: Delete account assignments to immediately remove elevated permissions when they are no longer needed
- Look up users by email: Resolve a federated identity (email address) to an Identity Store user ID for programmatic access provisioning
- List permission sets: Enumerate the available permission sets (e.g., ReadOnly, PowerUser, AdministratorAccess) defined in your Identity Center instance
- Monitor assignment status: Poll the provisioning status of create/delete operations, which are asynchronous in AWS
- List accounts in your organization: Enumerate all AWS accounts in your AWS Organizations structure to populate access request dropdowns
- Manage groups: List groups and resolve group IDs by display name for group-based access grants
In Sim, the AWS Identity Center integration is designed to power TEAM (Temporary Elevated Access Management) workflows — automated pipelines where users request elevated access, approvers approve or deny it, access is provisioned with a time limit, and auto-revocation removes it when the window expires. This replaces manual console-based access management with auditable, agent-driven workflows that integrate with Slack, email, ticketing systems, and CloudTrail for full traceability.
Provision and revoke temporary access to AWS accounts via IAM Identity Center (SSO). Assign permission sets to users or groups, look up users by email, and list accounts and permission sets for access request workflows.
List all AWS IAM Identity Center instances in your account
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
maxResults | number | No | Maximum number of instances to return (1-100) |
nextToken | string | No | Pagination token from a previous request |
| Parameter | Type | Description |
|---|
instances | json | List of Identity Center instances with instanceArn, identityStoreId, name, status, statusReason |
nextToken | string | Pagination token for the next page of results |
count | number | Number of instances returned |
List all AWS accounts in your organization
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
maxResults | number | No | Maximum number of accounts to return |
nextToken | string | No | Pagination token from a previous request |
| Parameter | Type | Description |
|---|
accounts | json | List of AWS accounts with id, arn, name, email, status |
nextToken | string | Pagination token for the next page of results |
count | number | Number of accounts returned |
Retrieve details about a specific AWS account by its ID
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
accountId | string | Yes | AWS account ID to describe |
| Parameter | Type | Description |
|---|
id | string | AWS account ID |
arn | string | AWS account ARN |
name | string | Account name |
email | string | Root email address of the account |
status | string | Account status (ACTIVE, SUSPENDED, etc.) |
joinedTimestamp | string | Date the account joined the organization |
List all permission sets defined in an IAM Identity Center instance
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
maxResults | number | No | Maximum number of permission sets to return |
nextToken | string | No | Pagination token from a previous request |
| Parameter | Type | Description |
|---|
permissionSets | json | List of permission sets with permissionSetArn, name, description, sessionDuration |
nextToken | string | Pagination token for the next page of results |
count | number | Number of permission sets returned |
Look up a user in the Identity Store by email address
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
identityStoreId | string | Yes | Identity Store ID (from the Identity Center instance) |
email | string | Yes | Email address of the user to look up |
| Parameter | Type | Description |
|---|
userId | string | Identity Store user ID (use as principalId) |
userName | string | Username in the Identity Store |
displayName | string | Display name of the user |
email | string | Email address of the user |
Look up a group in the Identity Store by display name
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
identityStoreId | string | Yes | Identity Store ID (from the Identity Center instance) |
displayName | string | Yes | Display name of the group to look up |
| Parameter | Type | Description |
|---|
groupId | string | Identity Store group ID (use as principalId) |
displayName | string | Display name of the group |
description | string | Group description |
List all groups in the Identity Store
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
identityStoreId | string | Yes | Identity Store ID (from the Identity Center instance) |
maxResults | number | No | Maximum number of groups to return |
nextToken | string | No | Pagination token from a previous request |
| Parameter | Type | Description |
|---|
groups | json | List of groups with groupId, displayName, description |
nextToken | string | Pagination token for the next page of results |
count | number | Number of groups returned |
Grant a user or group access to an AWS account via a permission set (temporary elevated access)
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
accountId | string | Yes | AWS account ID to grant access to |
permissionSetArn | string | Yes | ARN of the permission set to assign |
principalType | string | Yes | Type of principal: USER or GROUP |
principalId | string | Yes | Identity Store ID of the user or group |
| Parameter | Type | Description |
|---|
message | string | Status message |
status | string | Provisioning status: IN_PROGRESS, FAILED, or SUCCEEDED |
requestId | string | Request ID to use with Check Assignment Status |
accountId | string | Target AWS account ID |
permissionSetArn | string | Permission set ARN |
principalType | string | Principal type (USER or GROUP) |
principalId | string | Principal ID |
failureReason | string | Reason for failure if status is FAILED |
createdDate | string | Date the request was created |
Revoke a user or group access to an AWS account by removing a permission set assignment
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
accountId | string | Yes | AWS account ID to revoke access from |
permissionSetArn | string | Yes | ARN of the permission set to remove |
principalType | string | Yes | Type of principal: USER or GROUP |
principalId | string | Yes | Identity Store ID of the user or group |
| Parameter | Type | Description |
|---|
message | string | Status message |
status | string | Deprovisioning status: IN_PROGRESS, FAILED, or SUCCEEDED |
requestId | string | Request ID to use with Check Assignment Status |
accountId | string | Target AWS account ID |
permissionSetArn | string | Permission set ARN |
principalType | string | Principal type (USER or GROUP) |
principalId | string | Principal ID |
failureReason | string | Reason for failure if status is FAILED |
createdDate | string | Date the request was created |
Check the provisioning status of an account assignment creation request
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
requestId | string | Yes | Request ID returned from Create or Delete Account Assignment |
| Parameter | Type | Description |
|---|
message | string | Human-readable status message |
status | string | Current status: IN_PROGRESS, FAILED, or SUCCEEDED |
requestId | string | The request ID that was checked |
accountId | string | Target AWS account ID |
permissionSetArn | string | Permission set ARN |
principalType | string | Principal type (USER or GROUP) |
principalId | string | Principal ID |
failureReason | string | Reason for failure if status is FAILED |
createdDate | string | Date the request was created |
Check the deprovisioning status of an account assignment deletion request
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
requestId | string | Yes | Request ID returned from Delete Account Assignment |
| Parameter | Type | Description |
|---|
message | string | Human-readable status message |
status | string | Current deletion status: IN_PROGRESS, FAILED, or SUCCEEDED |
requestId | string | The deletion request ID that was checked |
accountId | string | Target AWS account ID |
permissionSetArn | string | Permission set ARN |
principalType | string | Principal type (USER or GROUP) |
principalId | string | Principal ID |
failureReason | string | Reason for failure if status is FAILED |
createdDate | string | Date the request was created |
List all account assignments for a specific user or group across all accounts
| Parameter | Type | Required | Description |
|---|
region | string | Yes | AWS region (e.g., us-east-1) |
accessKeyId | string | Yes | AWS access key ID |
secretAccessKey | string | Yes | AWS secret access key |
instanceArn | string | Yes | ARN of the Identity Center instance |
principalId | string | Yes | Identity Store ID of the user or group |
principalType | string | Yes | Type of principal: USER or GROUP |
maxResults | number | No | Maximum number of assignments to return |
nextToken | string | No | Pagination token from a previous request |
| Parameter | Type | Description |
|---|
assignments | json | List of account assignments with accountId, permissionSetArn, principalType, principalId |
nextToken | string | Pagination token for the next page of results |
count | number | Number of assignments returned |