I have a new AWS management account with SSO set up. I am not clear on how I can give access to some "user" which will be used to run terraform. What I would like to do is create a role in each non-management account. Then in the management account create a group, with a policy that allows any user in that group to assume the role in any "non-mangement" account.
However, in the "non-management" account, I am not able to set the trust policy to allow a "group" to assume the role, it seems like only individual users are allowed. However, this means in the management account, whenever I add a user, I have to manually then come into each "non-management" account and update the trust policy to now allow this new user to assume the role as well. Obviously, this isn't ideal, and I'm sure theres a simpler way to automate this.
Or is this even the best approach to doing this ? I've also tried the hub and spoke approach with a single non-sso user in the management account. This works, but somehow seems like its not a clean approach.