Skip to content

Accelerate AWS IAM Identity Center (successor to AWS Single Sign-On (SSO)) implementation using AWS CDK. This CDK program allows you to conveniently define your own permission sets and assignments without the need to tediously create your own AWS CloudFormation templates for your AWS IAM Identity Center deployment minimizing the risk of human mi…

License

Notifications You must be signed in to change notification settings

aws-samples/aws-iam-identity-center-automation

AWS IAM Identity Center Configuration Automation

This project accelerates the implementation of # AWS IAM Identity Center by automating the configuration of permission sets and assignments using AWS Cloud Development Kit (CDK).

Prerequisites

Before you start you should have the following prerequisites:

Environment Set up

Clone this repo:

$ git clone https://github.com/aws-samples/aws-iam-identity-center-automation.git

To create a virtualenv run the following command after installing python:

python3 -m venv .env

On macOS/Linux run the following command to activate your virtualenv:

source .env/bin/activate

On Windows run the following command to activate the virtualenv:

.env\Scripts\activate.bat

Once the virtualenv is activated, install the required dependencies:

pip install -r requirements.txt

We recommend setting up a named profile for the AWS CLI using the administrative credentials for the Organization Management account to use when running commands. You can also configure your AWS profile using the following command, which will set up the default profile:

aws configure

Test

Run the Help (-h) command to make sure that you have your environment setup correctly:

python id_center_automation.py id-center -h

You can use the following command to output a JSON file named "org_data.json", that describes your AWS Organization structure with the necessary IDs to use in the AWS IAM Identity Center input files:

python id_center_automation.py describe-org --profile IAMIdentityCenter-test

Bootstrap AWS Environment

Generate and deploy the CDK Bootstrap CloudFormation template manually.

macOS/Linux:

cdk bootstrap --show-template > ./cfn_templates/bootstrap-template.yaml

Windows:

powershell "cdk bootstrap --show-template | Out-File -encoding utf8 ./cfn_templates/bootstrap-template.yaml"

Once you have the CDK Bootstrap template generated login to the AWS Console and deploy it using CloudFormation.

This prepares the environment so that you can deploy your changes directly using CDK. Please note, we always recommend a thorough review before deploying though.

AWS IAM Identity Center Automation

Custom Policies

Create all your inline custom IAM policies inside the sub folder inline_policies, there are a few examples there already.

Define Permission Sets

Create a file named “permsets.json” in the root folder and put in the details for the permission sets you would like to create. You can use the example_permsets.json file included in the root folder to get started.

Define Assignments

Next, create a text file named “assignments.json” in the root folder and put in the details for the new account assignments you would like to create. Use the target to change the scope with the option to apply to all accounts, all accounts under an OU or one specific account. You can use the example_assignments.json file included in the root folder to get started.

Generate, Deploy and Destroy

The following command will generate the cloudformation to apply the configured changes without deploying them

python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json

Deploy the stack by adding the "--deploy" flag

python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --deploy

Destroy the stack by adding the "--destroy" flag

python id_center_automation.py id-center --region us-east-1 --profile IAMIdentityCenter-test --mgmtacct 123456789012 --permsets permsets.json --assignments assignments.json --destroy

Troubleshooting

Error: The CreateStackSet operation fails.

An error occurred (ValidationError) when calling the CreateStackSet operation: You must enable organizations access to operate a service managed stack set

Resolution: Enable Trusted Access.

Follow these instructions to Enable Trusted Access: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

Accelerate AWS IAM Identity Center (successor to AWS Single Sign-On (SSO)) implementation using AWS CDK. This CDK program allows you to conveniently define your own permission sets and assignments without the need to tediously create your own AWS CloudFormation templates for your AWS IAM Identity Center deployment minimizing the risk of human mi…

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published