This project accelerates the implementation of # AWS IAM Identity Center by automating the configuration of permission sets and assignments using AWS Cloud Development Kit (CDK).
Before you start you should have the following prerequisites:
- An organization in AWS Organizations
- Groups in AWS IAM Identity Center
- Administrative access for the Organization Management account
- Python version 3.7.10 or later
- Git
- AWS CDK v2
Clone this repo:
$ git clone https://github.com/aws-samples/aws-iam-identity-center-automation.git
To create a virtualenv run the following command after installing python:
python3 -m venv .env
On macOS/Linux run the following command to activate your virtualenv:
source .env/bin/activate
On Windows run the following command to activate the virtualenv:
.env\Scripts\activate.bat
Once the virtualenv is activated, install the required dependencies:
pip install -r requirements.txt
We recommend setting up a named profile for the AWS CLI using the administrative credentials for the Organization Management account to use when running commands. You can also configure your AWS profile using the following command, which will set up the default profile:
aws configure
Run the Help (-h) command to make sure that you have your environment setup correctly:
python id_center_automation.py id-center -h
You can use the following command to output a JSON file named "org_data.json", that describes your AWS Organization structure with the necessary IDs to use in the AWS IAM Identity Center input files:
python id_center_automation.py describe-org --profile IAMIdentityCenter-test
Generate and deploy the CDK Bootstrap CloudFormation template manually.
macOS/Linux:
cdk bootstrap --show-template > ./cfn_templates/bootstrap-template.yaml
Windows:
powershell "cdk bootstrap --show-template | Out-File -encoding utf8 ./cfn_templates/bootstrap-template.yaml"
Once you have the CDK Bootstrap template generated login to the AWS Console and deploy it using CloudFormation.
This prepares the environment so that you can deploy your changes directly using CDK. Please note, we always recommend a thorough review before deploying though.
Create all your inline custom IAM policies inside the sub folder inline_policies, there are a few examples there already.
Create a file named “permsets.json” in the root folder and put in the details for the permission sets you would like to create. You can use the example_permsets.json file included in the root folder to get started.
Next, create a text file named “assignments.json” in the root folder and put in the details for the new account assignments you would like to create. Use the target to change the scope with the option to apply to all accounts, all accounts under an OU or one specific account. You can use the example_assignments.json file included in the root folder to get started.
The following command will generate the cloudformation to apply the configured changes without deploying them
python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json
Deploy the stack by adding the "--deploy" flag
python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --deploy
Destroy the stack by adding the "--destroy" flag
python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --destroy
An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set
Follow these instructions to Enable Trusted Access: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.