Enabling AWS SSO

  1. Go to your AWS Organizational Root Account
  2. Select a region
  3. Select AWS Single Sign-On

Initial Setup

This does not apply when using an external Identity Provider. If you want to integrate with Okta, Onelogin, Google, or any other identity provider, see here.

  1. Setup your user portal URL. This CANNOT be changed
  2. Review your MFA Settings

  • Enable MFA


You can link your AWS SSO roles into your configMap so that you can use RBAC instead of IAM users

If you delete the AWS SSO role in use and you do not have a backup, you will be locked out. We recommend creating a "break glass" local account for accessing EKS if AWS SSO is not accessible.

AWS Managed Job Roles