Account instances of IAM Identity Center
With an account instance of IAM Identity Center, you can deploy supported AWS managed applications and OIDC-based customer managed applications. Account instances support isolated deployments of applications in a single AWS account, leveraging IAM Identity Center workforce identity and access portal features.
Account instances are bound to a single AWS account and are used only to manage user and group access for supported applications in the same account and AWS Region. You are limited to one account instance per AWS account. You can create an account instance from either of the following:
-
A member account in AWS Organizations.
-
A standalone AWS account that is not managed by AWS Organizations.
Topics
Availability constraints for member accounts
You can deploy account instances of IAM Identity Center in AWS Organizations member accounts whether or not an organization instance of IAM Identity Center is already present in the AWS organization.
One of the following conditions must be true:
-
There is no organization instance of IAM Identity Center in your AWS organization.
-
There is an organization instance of IAM Identity Center in your AWS organization and the instance administrator has enabled member accounts to create account instances of IAM Identity Center (for organization instances created after November 15, 2023).
-
There is an organization instance of IAM Identity Center in your AWS organization and the instance administrator manually enabled creation of account instances by member accounts in the organization (for organization instances created before November 15, 2023). For instructions, see Enable account instance creation in the IAM Identity Center console.
After one of the preceding conditions is met, all of the following conditions must be true:
-
Your administrator hasn’t created a Service Control Policy that prevents member accounts from creating account instances.
-
You don't already have an instance of IAM Identity Center in this same account regardless of AWS Region.
-
You're working in an AWS Region where IAM Identity Center is available. For information about Regions, see AWS IAM Identity Center Region availability.
When to use account instances
In most cases, an organization instance is recommended. Account instances should be used only if one of the following scenarios applies:
-
You want to run a temporary trial of a supported AWS managed application to determine if the application suits your business needs.
-
You don’t have plans to adopt IAM Identity Center across your organization, but you want to support one or more AWS managed applications.
-
You have an organization instance of IAM Identity Center, but you want to deploy a supported AWS managed application to an isolated set of users that are distinct from users in your organization instance.
-
You don't control the AWS organization in which you operate. For example, a third-party controls the AWS organization that manages your AWS accounts.
Important
If you plan to use IAM Identity Center to support applications in multiple accounts, create an organization instance and don't use account instances.
Account instance considerations
An account instance is designed for specialized use cases, offering a subset of features available to an organization instance. Consider the following before creating an account instance:
-
Account instances don't support permission sets and therefore don't support access to AWS accounts.
-
You can’t convert an account instance into an organization instance.
-
You can’t merge an account instance into an organization instance.
-
Only select AWS managed applications support account instances.
-
Use account instances for isolated users that will use applications in a single account only and for the lifetime of the applications used.
-
Applications that are attached to an account instance must remain attached to the account instance until you delete the application and its resources.
-
An account instance must remain in the AWS account where it's created.
AWS managed applications that support account instances
See AWS managed applications to learn which AWS managed applications support account instances of IAM Identity Center. Verify the availability of account instance creation with your AWS managed application.