# Setting up and using the AWS access portal
<a name="using-the-portal"></a>

The AWS access portal connects your workforce to AWS accounts and cloud applications through IAM Identity Center. Administrators configure the portal and manage user access, while end users sign in once to seamlessly access all their authorized resources.

The AWS access portal provides single sign-on access to:
+ AWS accounts in your organization.
+ AWS managed applications such as Amazon Quick and Kiro.
+ Cloud applications like Office 365, Concur, Salesforce, and others.

When users sign in to the portal, they find the AWS accounts and applications they're authorized to access without additional sign-in.

## Getting started with the AWS access portal
<a name="getting-started-access-portal"></a>

**For administrators:**

You need administrative access to your [organization instance](organization-instances-identity-center.md) or [account instance](account-instances-identity-center.md) of IAM Identity Center to configure the AWS access portal and manage user access.

1. Optionally customize the AWS access portal URL.

1. Assign user access to AWS accounts and applications. Assigned AWS resources display in the portal.

**For end users:**

Your administrator must have completed the AWS access portal setup and provided you with your portal URL and sign-in credentials.

1. Get your portal URL from your administrator (typically `https://your-company.awsapps.com/start`).

1. Sign in using the credentials provided by your administrator.

1. Access your resources in your portal.

# Configure the AWS access portal
<a name="configure-the-access-portal"></a>

As an administrator, you can customize the AWS access portal to meet your organization's needs and ensure users can easily access their authorized resources.

## What you can configure
<a name="what-you-can-configure"></a>

**AWS access portal activation**: Set up initial user access to the AWS access portal, including user credential activation and first-time sign-in processes.

**Custom AWS access portal URL (optional)**: Personalize your organization's AWS access portal URL from the default format (`d-xxxxxxxxxx.awsapps.com/start`) to a more recognizable subdomain (`your-company.awsapps.com/start`).

**Before you begin**  
Ensure you have administrative access to IAM Identity Center, verify that IAM Identity Center is set up as either an [organization instance](organization-instances-identity-center.md) or [account instance](account-instances-identity-center.md), and plan your custom subdomain name (this is a one-time configuration that cannot be changed later).

Once configured, users can access the AWS access portal using the custom URL and follow the activation process you've established for your organization.

**Topics**
+ [What you can configure](#what-you-can-configure)
+ [Activating the AWS access portal for first-time IAM Identity Center users](howtoactivateaccount.md)
+ [Customizing the AWS access portal URL](howtochangeURL.md)
+ [Confirm users can sign in to the AWS access portal](howtosigninprocedure.md)

# Activating the AWS access portal for first-time IAM Identity Center users
<a name="howtoactivateaccount"></a>

If this is your first time attempting to sign in to the AWS access portal, check your email for instructions on how to activate your user credentials. 

**To activate your user credentials**

1. Depending on the email you received from your company, choose one of the following methods to activate your user credentials so that you can start using the AWS access portal. 

   1. If you received an email with the subject **Invitation to join AWS IAM Identity Center**, open it and choose **Accept invitation**. On the **New user sign up** page, enter and confirm a password, and then choose **Set new password**. You'll use that password each time you sign in to the portal.

   1. If you were sent an email from your company's IT support or IT administrator, follow the instructions they provided to activate your user credentials. 

1. After you activate your user credentials by providing a new password, the AWS access portal signs you in automatically. If this doesn't occur, you can manually sign in to the AWS access portal by using the instructions provided in [Signing in to the AWS access portal](howtosignin.md).

# Customizing the AWS access portal URL
<a name="howtochangeURL"></a>

By default, you can access the AWS access portal by using a URL that follows this format: `d-xxxxxxxxxx.awsapps.com/start`. You can customize the URL as follows: `your_subdomain.awsapps.com/start`.

**Important**  
 If you change the AWS access portal URL, you cannot edit it later.

**To customize your URL**

1. Open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).

1. In the IAM Identity Center console, choose **Dashboard** in the navigation pane and locate the **Settings summary** section.

1. Choose the **Customize** button below your AWS access portal URL.
**Note**  
If the **Customize** button doesn't display, it means that the AWS access portal has already been customized. Customizing the AWS access portal URL is a one-time operation that cannot be reversed.

1. Enter your desired subdomain name and choose **Save**.

You can now sign in to the AWS Console through your AWS access portal with your customized URL.

# Confirm users can sign in to the AWS access portal
<a name="howtosigninprocedure"></a>

The following steps are for IAM Identity Center administrator to confirm that the IAM Identity Center user can sign in to the AWS access portal and access the AWS account.

**Sign in to the AWS access portal**

1. Do either of the following to sign in to the AWS Management Console.
   + **New to AWS (root user)** – Sign in as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password.
   + **Already using AWS (IAM credentials)** – Sign in with your IAM credentials and select an admin role.

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. In the navigation pane, choose **Dashboard**.

1. On the **Dashboard** page, under **Settings summary**, choose the AWS access portal URL.

1. Sign in by using either of the following:
   + If you are using Active Directory or an external identity provider (IdP) as your identity source, sign in by using the credentials of the Active Directory or IdP user.
   + If you are using the default Identity Center directory as your identity source, sign in by using the username that you specified when you created the user and the new password that you specified for the user.

1. In the **Accounts** tab, locate your AWS account and expand it.

1. The roles available to you are displayed. For example, if you are assigned both the **AdministratorAccess** permission set and **Billing** permissions sets, those roles are displayed in the AWS access portal. Choose the IAM role name you want to use for the session.

1. If you are redirected to the AWS Management Console you successfully finished setting up access to the AWS account.
**Note**  
If you do not see any **AWS accounts** listed, it is likely that the user hasn't yet been assigned to a permission set for that account. For instructions on assigning users to a permission set, see [Assign user or group access to AWS accounts](assignusers.md).

Now that you've confirmed that you can sign in using IAM Identity Center credentials, switch to the browser that you used to sign into the AWS Management Console and sign out from your root user or IAM user credentials. 

**Important**  
We strongly recommend that you use the credentials of the IAM Identity Center administrative user when you sign in to the AWS access portal to perform administrative tasks instead of using IAM user or root user credentials. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. To enable other users to access your accounts and applications, and to administer IAM Identity Center, create and assign permission sets only through IAM Identity Center.

# Use the AWS access portal
<a name="access-portal-for-workforce-users"></a>

 You can launch multiple applications by choosing the AWS account or application tab in the portal. The presence of application icons in your AWS access portal means that an administrator from your company has granted you access to those AWS accounts or applications. It also means that you can access all these accounts or applications from the AWS access portal without additional sign-in prompts. 

## How to use the AWS access portal
<a name="how-to-use-access-portal"></a>

To use the AWS access portal:

1. **Get your portal URL** from your administrator (typically looks like `https://your-company.awsapps.com/start`).

1. **Sign in** using the credentials provided by your administrator.

1. **Choose the accounts and applications** in your portal that you want to access.

Your administrator controls what you see in the portal based on your role and permissions. Contact your administrator to request additional access in the these situations:
+ You do not see an AWS account or application that you need to access.
+ The access that you have to a given account or application isn't what you expected.

**Topics**
+ [How to use the AWS access portal](#how-to-use-access-portal)
+ [Signing in to the AWS access portal](howtosignin.md)
+ [Resetting your AWS access portal user password](resetpassword-accessportal.md)
+ [Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs](howtogetcredentials.md)
+ [Creating shortcut links to AWS Management Console destinations](createshortcutlink.md)
+ [Registering your device for MFA](user-device-registration.md)
+ [Viewing and ending your active session](end-user-how-to-end-active-sessions-accessportal.md)

# Signing in to the AWS access portal
<a name="howtosignin"></a>

The AWS access portal provides IAM Identity Center users with single sign-on access to all their assigned AWS accounts and applications through a web portal. The following outlines how you can sign in to the AWS access portal, tips for signing in, and how to sign out of the AWS access portal. 

**Prerequisites**  
IAM Identity Center needs to be enabled to use the AWS access portal. For more information, see [Enable IAM Identity Center](enable-identity-center.md).

**Note**  
After you sign in, the default duration for your AWS access portal session is 8 hours. Be aware that an administrator can [change the duration](configure-user-session.md) of this session.

## Sign in to the AWS access portal
<a name="howtosignin-procedure"></a>

**To sign in to the AWS access portal**

1. In your browser window, paste in the sign-in URL that you were provided and choose **Enter**. The URL looks like `d-xxxxxxxxxx.awsapps.com/start` or `your_subdomain.awsapps.com/start`. We recommend that you bookmark this link to the portal now so that you can quickly access it later.

1. Sign in using your standard company sign in credentials.
**Note**  
If your administrator sent you an email one-time password (OTP) and this is your first time signing in, enter that password. After you are signed in, you must create a new password for future sign-ins.

    If you are prompted for a **Verification code**, check your email and then copy and paste the code into the sign-in page.
**Note**  
Verification codes are typically sent through email, but the delivery method can vary. Check with your administrator for details.

1. Once signed in, you can access any AWS account and application that displays in the portal.

## Trusted devices
<a name="howtosignin-trusted-devices"></a>

When you choose the option **This is a trusted device** from the sign-in page, IAM Identity Center considers all future sign-ins from that device as authorized. This means that IAM Identity Center will not present an option to enter in an MFA code as long as you are using that trusted device. However, there are some exceptions, including signing in from a new browser or when your device has been issued an unknown IP address.

## Sign in tips for the AWS access portal
<a name="portaltips"></a>

Here are some tips to help you manage your AWS access portal experience.
+ Occasionally, you might need to sign out and sign back in to the AWS access portal. This might be necessary to access new applications that your administrator recently assigned to you. This is not required, however, because all new applications are refreshed every hour.
+ When you sign in to the AWS access portal, you can open any of the applications listed in the portal by choosing the application’s icon. After you are done using the application, you can either close the application or sign out of the AWS access portal. Closing the application signs you out of that application only. Any other applications that you have opened from the AWS access portal remain open and running. 
+ Before you can sign in as a different user, you must first sign out of the AWS access portal. Signing out from the portal completely removes your credentials from the browser session.
+ Once you sign in to the AWS access portal, you can switch to a role. Switching roles temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role.  For more information, see [Switching to a role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html?icmpid=docs_iam_console).

## Signing out of the AWS access portal
<a name="howtosignout"></a>

When you sign out from the portal, your credentials are completely removed from the browser session. For more information, see [ Sign out of the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/aws-access-portal-signing-out-iam-identity-center-user.html) in the *AWS Sign-In* guide.

**To sign out of the AWS access portal**
+ In the AWS access portal, choose **Sign out** from the navigation bar.

**Note**  
If you want to sign in as a different user, you must first sign out of the AWS access portal.

# Resetting your AWS access portal user password
<a name="resetpassword-accessportal"></a>

The AWS access portal provides [IAM Identity Center](what-is.md) users with single sign-on access to all their assigned AWS accounts and cloud applications through a web portal. The AWS access portal is different from the [AWS Management Console](https://docs.aws.amazon.com//awsconsolehelpdocs/latest/gsg/learn-whats-new.html), which is a collection of service consoles for managing AWS resources.

Use this procedure to reset your IAM Identity Center user password for the AWS access portal. Learn more about [User types](https://docs.aws.amazon.com//signin/latest/userguide/user-types-list.html) in the *AWS Sign-In User Guide*.

**Considerations**  
The reset your password functionality for your AWS access portal is only available for users of Identity Center instances that are using Identity Center directory or [AWS Managed Microsoft AD](gs-ad.md) as their identity source. If your user is connected to an external identity provider or [AD Connector](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html), user password resets must be done from the external identity provider or connected Active Directory.
+ If your identity source is an **IAM Identity Center directory**, see [Password requirements when managing identities in IAM Identity Center](password-requirements.md).
+ If your identity source is an **AWS Managed Microsoft AD**, see [Password requirements when resetting a password in AWS Managed Microsoft AD](https://docs.aws.amazon.com//directoryservice/latest/admin-guide/ms_ad_password_policies.html#how_password_policies_applied).

**To reset your password to the AWS access portal**

1. Open a web browser and go to the sign-in page for your AWS access portal.

   If you do not have your AWS access portal URL, check your email. You should have been emailed an invitation to join AWS IAM Identity Center that includes a specific sign-in URL to the AWS access portal. Alternatively, your administrator might have directly provided you with a one-time password and the AWS access portal URL. If you cannot locate this information, ask your administrator to send it to you.

   For more information about signing into the AWS access portal, see [Sign in to the AWS access portal](https://docs.aws.amazon.com//signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. Enter your **Username**, and then choose **Next**.

1. Under **Password**, choose **Forgot password**.

   Verify your **Username** and enter the characters for the provided image to confirm that you are not a robot. Then choose **Next**. You might need to disable ad blocker software if you cannot enter characters.

1. A message appears to confirm that a reset password email was sent. Choose **Continue**.

1. You'll receive an email from `no-reply@signin.aws` with the subject **Password reset requested**. In your email, choose **Reset password**.

1. On the **Reset password** page, verify your **Username**, specify a new password for the AWS access portal, and then choose **Set new password**.

1. You'll receive an email from `no-reply@signin.aws` with the subject line **Password updated**.

**Note**  
An administrator can reset your password by either sending an email to you with instructions for resetting your password or generating a one-time password and sharing it with you. If you are an administrator, see [Reset the IAM Identity Center user password for an end user](reset-password-for-user.md).

# Getting IAM Identity Center user credentials for the AWS CLI or AWS SDKs
<a name="howtogetcredentials"></a>

You can access AWS services programmatically by using the AWS Command Line Interface or AWS Software Development Kits (SDKs) with user credentials from IAM Identity Center. This topic describes how to get temporary credentials for a user in IAM Identity Center.

The AWS access portal provides IAM Identity Center users with single-sign on access to their AWS accounts and cloud applications. After you sign in to the AWS access portal as an IAM Identity Center user, you can get temporary credentials. You can then use the credentials, also referred to as IAM Identity Center user credentials, in the AWS CLI or AWS SDKs to access resources in an AWS account.

If you’re using the AWS CLI to access AWS services programmatically, you can use the procedures in this topic to initiate access to the AWS CLI. For information about the AWS CLI, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/gcli-chap-welcome.html).

If you’re using the AWS SDKs to access AWS services programmatically, following the procedures in this topic also directly establishes authentication for the AWS SDKs. For information about the AWS SDKs, see the [AWS SDKs and Tools Reference Guide](https://docs.aws.amazon.com/sdkref/latest/guide/overview.html).

**Note**  
Users in IAM Identity Center are different than [IAM users](https://docs.aws.amazon.com/cli/latest/userguide/id_users.html). IAM users are granted long-term credentials to AWS resources. Users in IAM Identity Center are granted temporary credentials. We recommend that you use temporary credentials as a security best practice for accessing your AWS accounts because these credentials are generated every time you sign in.

## Prerequisites
<a name="temp-credentials-prerequisites"></a>

To get temporary credentials for your IAM Identity Center user, you'll need the following:
+ **An IAM Identity Center user** – You'll sign in to the AWS access portal as this user. You or your administrator might create this user. For information about how to enable IAM Identity Center and create an IAM Identity Center user, see [Getting started with IAM Identity Center](getting-started.md).
+ **User access to an AWS account** – To grant an IAM Identity Center user permission to retrieve their temporary credentials, you or an administrator must assign the IAM Identity Center user to a [permission set](permissionsetsconcept.md). Permission sets are stored in IAM Identity Center and define the level of access that an IAM Identity Center user has to an AWS account. If your administrator created the IAM Identity Center user for you, ask them to add this access for you. For more information, see [Assign user or group access to AWS accounts](assignusers.md).
+ **AWS CLI installed** – To use the temporary credentials, you must install the AWS CLI. For instructions, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS CLI User Guide*.

## Considerations
<a name="temp-credentials-considerations"></a>

Before you complete the steps to get temporary credentials for your IAM Identity Center user, keep the following considerations in mind:
+ **IAM Identity Center creates IAM roles** – When you assign a user in IAM Identity Center to a permission set, IAM Identity Center creates a corresponding IAM role from the permission set. IAM roles created by permission sets differ from IAM roles created in AWS Identity and Access Management in the following ways:
  + IAM Identity Center owns and secures the roles that are created by permission sets. Only IAM Identity Center can modify these roles.
  + Only users in IAM Identity Center can assume the roles that correspond to their assigned permission sets. You can’t assign permission set access to IAM users, IAM federated users, or service accounts. 
  + You can’t modify a role trust policy on these roles to allow access to [principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) outside of IAM Identity Center.

  For information about how to get temporary credentials for a role that you create in IAM, see [Using temporary security credentials with the AWS CLI](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#using-temp-creds-sdk-cli) in the *AWS Identity and Access Management User Guide*.
+ **You can set the session duration for permission sets** – After you sign in to the AWS access portal, the permission set to which your IAM Identity Center user is assigned appears as an available role. IAM Identity Center creates a separate session for this role. This session can be from one to 12 hours, depending the session duration configured for the permission set. The default session duration is one hour. For more information, see [Set session duration for AWS accounts](howtosessionduration.md).

## Getting and refreshing temporary credentials
<a name="how-to-get-temp-credentials"></a>

You can get and refresh temporary credentials for your IAM Identity Center user automatically or manually. 

**Topics**
+ [Automatic credential refresh (recommended)](#how-to-get-temp-credentials-automatic)
+ [Manual credential refresh](#how-to-get-temp-credentials-manual)

### Automatic credential refresh (recommended)
<a name="how-to-get-temp-credentials-automatic"></a>

Automatic credential refresh uses the Open ID Connect (OIDC) Device Code Authorization standard. With this method, you initiate access directly by using the `aws configure sso` command in the AWS CLI. You can use this command to automatically access any role that is associated with any permission set that you’re assigned to for any AWS account.

To access the role created for your IAM Identity Center user, run the `aws configure sso` command, and then authorize the AWS CLI from a browser window. As long as you have an active AWS access portal session, the AWS CLI automatically retrieves temporary credentials and refreshes the credentials automatically. 

For more information, see [Configure your profile with the `aws configure sso wizard`](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso) in the *AWS Command Line Interface User Guide*.

**To get temporary credentials that automatically refresh**

1. Sign in to the AWS access portal by using the specific sign-in URL provided by your administrator. If you created the IAM Identity Center user, AWS sent an email invitation that includes your sign-in URL. For more information, see [Sign in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. In the **Accounts** tab, locate the AWS account from which you want to retrieve credentials. When you choose the account, the account name, account ID, and email address associated with the account appear. 
**Note**  
If you do not see any **AWS accounts** listed, it is likely that you've not yet been assigned to a permission set for that account. In this case, contact your administrator and ask them to add this access for you. For more information, see [Assign user or group access to AWS accounts](assignusers.md).

1. Below the name of the account, the permission set to which your IAM Identity Center user is assigned appears as an available role. For example, if your IAM Identity Center user is assigned to the **PowerUserAccess** permission set for the account, the role appears in the AWS access portal as **PowerUserAccess**.

1. Depending on your option next to the role name, either choose **Access keys** or choose **Command line or programmatic access**.

1. In the **Get credentials** dialog box, choose either **macOS and Linux**, **Windows**, or **PowerShell**, depending on the operating system on which you installed the AWS CLI.

1. Under **AWS IAM Identity Center credentials (Recommended)**, your `SSO Start URL` and `SSO Region` are displayed. These values are required to configure both an IAM Identity Center enabled profile and `sso-session` to your AWS CLI. To complete this configuration, follow the instructions in [Configure your profile with the `aws configure sso wizard`](https://docs.aws.amazon.com/cli/latest/userguide/sso-configure-profile-token.html#sso-configure-profile-token-auto-sso) in the *AWS Command Line Interface User Guide*.

Continue using the AWS CLI as necessary for your AWS account until the credentials have expired.

### Manual credential refresh
<a name="how-to-get-temp-credentials-manual"></a>

You can use the manual credential refresh method to get temporary credentials for a role that is associated with a specific permission set in a specific AWS account. To do so, you copy and paste the required commands for the temporary credentials. With this method, you must refresh the temporary credentials manually. 

You can run AWS CLI commands until your temporary credentials expire.

**To get credentials that you manually refresh**

1. Sign in to the AWS access portal by using the specific sign-in URL provided by your administrator. If you created the IAM Identity Center user, AWS sent an email invitation that includes your sign-in URL. For more information, see [Sign in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*.

1. In the **Accounts** tab, locate the AWS account from which you want to retrieve access credentials and expand it to show the IAM role name (for example **Administrator**). Depending on your option next to the IAM role name, either choose **Access keys** or choose **Command line or programmatic access**. 
**Note**  
If you do not see any **AWS accounts** listed, it is likely that you've not yet been assigned to a permission set for that account. In this case, contact your administrator and ask them to add this access for you. For more information, see [Assign user or group access to AWS accounts](assignusers.md).

1. In the **Get credentials** dialog box, choose **MacOS and Linux**, **Windows**, or **PowerShell**, depending on the operating system on which you installed the AWS CLI.

1. Choose any of the following options:
   + **Option 1: Set AWS environment variables**

     Choose this option to override all credential settings, including any settings in the `credentials` files and `config` files. For more information, see [Environment variables to configure the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) in the *AWS CLI User Guide*.

     To use this option, copy the commands to your clipboard, paste the commands into your AWS CLI terminal window, and then press **Enter** to set the required environment variables.
   + **Option 2: Add a profile to your AWS credentials file**

     Choose this option to run commands with different sets of credentials.

     To use this option, copy the commands to your clipboard, and then paste the commands into your shared AWS `credentials` file to set up a new named profile. For more information, see [Shared config and credentials files](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html) in the *AWS SDKs and Tools Reference Guide*. To use this credential, specify the `--profile` option in your AWS CLI command. This affects all environments that use the same credential file.
   + **Option 3: Use individual values in your AWS service client**

     Choose this option to access AWS resources from an AWS service client. For more information, see [Tools to Build on AWS](https://aws.amazon.com/tools/).

     To use this option, copy the values to your clipboard, paste the values into your code, and assign them to the appropriate variables for your SDK. For more information, see the documentation for your specific SDK API.

# Creating shortcut links to AWS Management Console destinations
<a name="createshortcutlink"></a>

Shortcut links created in the AWS access portal take IAM Identity Center users to a specific destination in the AWS Management Console, with a specific permission set, and in a specific AWS account.

Shortcut links save time for you and your collaborators. Instead of navigating to a desired destination URL in the AWS Management Console (for example, an Amazon S3 bucket instance page) through multiple pages, including AWS access portal, you can use a shortcut link to get to the same destination automatically. 

## Shortcut link destination options
<a name="shortcut-link-destination-options"></a>

Shortcut links have three destination options, listed here by priority:
+ (Optional) Any destination URL in the AWS Management Console specified in the shortcut link. For example, the Amazon S3 bucket instance page.
+ (Optional) Administrator-configured relay state URL for the permission set in question. For more information about setting the relay state, see [Set relay state for quick access to the AWS Management Console](howtopermrelaystate.md).
+ AWS Management Console home. The default destination if you do not specify one.

**Note**  
Automatic navigation to a destination is successful only when you’re authenticated with IAM Identity Center and have the necessary permission set assigned for the AWS account and destination URL. 

The AWS access portal includes a **Create shortcut** button that helps you create a shareable shortcut link. If you plan to specify a destination URL (the first option in the previous list), you can copy the URL to a clipboard to share it.

## Create a shortcut link in the AWS access portal
<a name="shortcut-link-role"></a>

1. While signed into the AWS access portal, choose the **Accounts** tab and then choose the **Create shortcut** button.

1. In the dialog box: 

   1. Choose an AWS account using the account ID or account name. As you type, a drop-down menu displays matching account IDs and names that you can access. You can choose only an account to which you have access.

   1. Optionally choose an IAM role from the drop-down list. These are the permission sets assigned to you for the selected account. If you omit choosing the role, users are prompted to select one assigned to them for the chosen account when using the shortcut link. 
**Note**  
You cannot grant new access with shortcut links. Shortcut links work only with the permission sets already assigned to the user. If the user doesn't have the necessary permission sets assigned for the account and destination URL, they are denied access. 

   1. Optionally enter the AWS access portal destination URL. If you omit entering a URL, the destination is automatically determined when using the shortcut link, based on the previously-mentioned shortcut link destination options.

   1. Your shortcut link generates at the bottom of the dialog box, based on your input. Choose the **Copy URL** button. You can now create a bookmark with the copied shortcut link or share it with your collaborators who have access to the same account with the same permission set or another sufficient permission set.

## Constructing secure AWS Management Console shortcut links with URL encoding
<a name="constructing-shortcut-links"></a>

All parameter values of the URL, including the account ID, permission set name, and destination URL, must be URL-encoded.

Shortcut links extend the AWS access portal URL with the following path:

 `/#/console?account_id=[account_ID]&role_name=[permission_set_name]&destination=[destination_URL]` 

 The full URL in the classic AWS partition follows this pattern:

**IPv4 endpoint:**

 `https://[your_subdomain].awsapps.com/start/#/console?account_id=[account_ID]&role_name=[permission_set_name]&destination=[destination_URL]` 

**Dual-stack endpoint**

 `https://[identity_center_instance_id].portal.[region].app.aws/#/console?account_id=[account_ID]&role_name=[permission_set_name]&destination=[destination_URL]` 

Here's an example shortcut link that signs a user into account `123456789012` with the `S3FullAccess` permission set, and takes them to the S3 console home page:
+ **IPv4 endpoint:** `https://example.awsapps.com/start/#/console?account_id=123456789012&role_name=S3FullAccess&destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fs3%2Fhome` 
+ **Dual-stack endpoint:** `https://ssoins-1234567890abcdef.portal.us-east-1.app.aws/#/console?account_id=123456789012&role_name=S3FullAccess&destination=https%3A%2F%2Fconsole.aws.amazon.com%2Fs3%2Fhome` 
+ **(AWS GovCloud (US) Region) IPv4 endpoint:** `https://start.us-gov-west-1.us-gov-home.awsapps.com/directory/example/#/console?account_id=123456789012&role_name=S3FullAccess&destination=https%3A%2F%2Fconsole.amazonaws-us-gov.com%2Fs3%2Fhome` 
+ **(AWS GovCloud (US) Region) Dual-stack endpoint: ** `https://ssoins-1234567890abcdef.portal.us-gov-west-1.app.aws/#/console?account_id=123456789012&role_name=S3FullAccess&destination=https%3A%2F%2Fconsole.amazonaws-us-gov.com%2Fs3%2Fhome` 

# Registering your device for MFA
<a name="user-device-registration"></a>

For users in the Identity Center directory, use the following procedure within the AWS access portal to register your new device for multi-factor authentication (MFA).

**Important**  
MFA in IAM Identity Center is currently not supported for [external identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html).

## Before you begin
<a name="user-device-registration-prereq"></a>

We recommend that you first download the appropriate Authenticator app onto your device before starting the steps in this procedure. For a list of apps that you can use for MFA devices, see [Virtual authenticator apps](mfa-types.md#mfa-types-apps).

## Register your device
<a name="user-device-register"></a>

**To register your device for use with MFA**

1. Sign in to your AWS access portal. For more information, see [Signing in to the AWS access portal](howtosignin.md).

1. Near the top-right of the page, choose **MFA devices**.

1. On the **Multi-factor authentication (MFA) devices** page, choose **Register device**.
**Note**  
If the **Register MFA device** option is grayed out, contact your administrator for assistance with registering your device.

1. On the **Register MFA device** page, select one of the following MFA device types, and follow the instructions:
   + **Authenticator app**

     1. On the **Set up the authenticator app** page, you might notice configuration information for the new MFA device, including a QR code graphic. The graphic is a representation of the secret key that is available for manual entry on devices that do not support QR codes.

     1. Using the physical MFA device, do the following:

        1. Open a compatible MFA authenticator app. For a list of tested apps that you can use with MFA devices, see [Virtual authenticator apps](mfa-types.md#mfa-types-apps). If the MFA app supports multiple accounts (multiple MFA devices), choose the option to create a new account (a new MFA device).

        1. Determine whether the MFA app supports QR codes, and then do one of the following on the **Set up the authenticator app** page:

           1. Choose **Show QR code**, and then use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to **Scan code**. Then use the device's camera to scan the code.

           1. Choose **show secret key**, and then enter that secret key into your MFA app.
**Important**  
When you configure an MFA device for IAM Identity Center, we recommend that you save a copy of the QR code or secret key *in a secure place*. This can help if you lose the phone or have to reinstall the MFA authenticator app. If either of those things happen, you can quickly reconfigure the app to use the same MFA configuration.

     1. On the **Set up the authenticator app** page, under **Authenticator code**, enter the one-time password that currently appears on the physical MFA device.
**Important**  
Submit your request immediately after generating the code. If you generate the code and then wait too long to submit the request, the MFA device is successfully associated with your user, but the MFA device is out of sync. This happens because time-based one-time passwords (TOTP) expire after a short period of time. If this happens, you can sync the device again.

     1. Choose **Assign MFA**. The MFA device can now start generating one-time passwords and is now ready for use with AWS.
   + **Security key** or **Built-in authenticator**

     1. On the **Register your user's security key** page, follow the instructions provided by your browser or platform.
**Note**  
The experience varies based on the browser or platform. After your device is successfully registered, you can associate a friendly display name with your newly enrolled device. To to change the name, choose **Rename**, enter the new name, and then choose **Save**.

# Viewing and ending your active session
<a name="end-user-how-to-end-active-sessions-accessportal"></a>

You can use your AWS access portal to view the list of your active sessions, and if required, end one or more sessions. 

**End your active session using your AWS access portal**

1. Sign in to your AWS access portal. For more information, see [Signing in to the AWS access portal](howtosignin.md).

1. Near the top-right of the page, choose **Security**.

1. On the **Security** page, the number in parentheses next to **Active sessions** indicates how many active sessions you have. Select the check box next to each session that you want to end, and then choose **End sessions**.
**Tip**  
For user background session, you can search for sessions by the Amazon Resource Name (ARN) of the job that is using the session. In the **Session type** list, choose **User background sessions**, and then enter the job ARN in the search box.

   You can only end active sessions that are loaded. If you have many sessions, choose **Load more active sessions** to display additional sessions.

1. Select the check box next to each session that you want to end, and then choose **End sessions**.

1. A dialog box appears that confirms you are ending active sessions. Review the information, and if you want to continue, type `confirm`, and then choose **End sessions**.

1. You are returned to your list of active sessions. A green notification message appears to indicate that the selected sessions were successfully ended.