Sign in to Argo CD via Identity Center

The managed Argo CD capability authenticates only through AWS IAM Identity Center. There is no local admin account and no auto-generated password — anyone who signs in does so with an Identity Center identity mapped to one of the three built-in Argo CD roles (ADMIN, EDITOR, VIEWER).

This page walks the one-time setup plus the first sign-in to the Argo CD UI. After this, you reuse the password you set here for the rest of Lab 2.

caution

Disabling MFA weakens security for all users in the IAM Identity Center instance, not just the workshop user. Acceptable for a personal/dev/test account; do not apply this in a production account or shared organization.

info

The rest of Lab 2 drives Argo CD entirely through the Kubernetes API so it stays fully testable. Signing in to the UI is optional but recommended — the visual graph of the catalog stack is the most engaging part of the lab.

1. Identity Center user and group

Terraform pre-created the workshop user and group in AWS Identity Center. They were exported into your shell by prepare-environment:

~$echo $EKS_CAP_ARGOCD_USER

eks-workshop-...-argocd-admin

~$echo $EKS_CAP_ARGOCD_ADMIN_GROUP

eks-workshop-...-argocd-admins

~$echo $EKS_CAP_ARGOCD_URL

https://....eks-capabilities.us-west-2.amazonaws.com

Pre-created user

• $EKS_CAP_ARGOCD_USER: administrative user mapped to the Argo CD ADMIN role.

Pre-created group

• $EKS_CAP_ARGOCD_ADMIN_GROUP: group with administrative privileges, associated with the Argo CD capability.

2. Disabling MFA for Workshop

To simplify the authentication experience during the workshop, we'll disable Multi-Factor Authentication (MFA) for Identity Center users.

Steps to Disable MFA:

1. Navigate to Identity Center Console

   • Open AWS Console
   • Search for "Identity Center"

2. Select Configure MFA

   

3. Disable MFA

   • Select "Never (disabled)" in MFA Settings
   • Save changes

   

3. Generate temporary password for the admin user

New users in Identity Center require temporary passwords to be generated by administrators.

1. Select User

   • Navigate to Identity Center → Users
   • Find and select $EKS_CAP_ARGOCD_USER

   

2. Reset Password

   • Click "Reset password"
   • Choose "Generate a one-time password"

   

3. Copy Temporary Password

   • Copy the generated password
   • Password will be used to login to the Argo CD dashboard in the next step.

   

tip

This password generation process will be referenced in other chapters when logging in as different users.

4. First sign-in to Argo CD

Open the Argo CD URL in a new browser tab:

~$echo $EKS_CAP_ARGOCD_URL

1. Click Log in via AWS Identity Center.
2. Username: the value of $EKS_CAP_ARGOCD_USER. Click Next.
3. Password: the one-time password you copied in step 3. Click Sign in.
4. Identity Center forces a Set new password screen on first sign-in. Choose any new password and confirm it.
5. After setting the new password you'll be redirected to the Argo CD Applications view as ADMIN.

tip

You can also reach the UI from the Amazon EKS console: select your cluster, choose the Capabilities tab, choose Argo CD, then Open Argo CD UI. Both paths route through the same Identity Center sign-in.

You're now ready to walk through the rest of Lab 2.