We all know that AWS IAM Identity Center (successor to AWS Single Sign-On) helps us securely create or connect workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. In my career, I have seen customers having multi-account landing zone setup including 100+ AWS accounts and most of them used AWS IAM Identity Center to manage access to all these AWS accounts. While helping customers to manage IAM Identity Center, I found that if I need to associate new permissions set to all the accounts, I have to traverse through each and every OU, select individual AWS account in an OU and assign permissions set to the account. Using Click-Ops this is very difficult for the team who is managing Identity Center operations. This is where I found an opportunity to automate this process and, hence posting this blog.
AWS Services Used
- AWS Identity Center (successor to AWS Single Sign-On)
- AWS Organizations
Getting Started
Before we understand this automation, let's understand the steps involved in managing access through AWS Identity Center. I am assuming that you have completed AWS Identity Center setup, if not then please go through these
Pre-requisites and considerations
Prerequisites
An AWS account with AWS Organizations enabled. If you don’t have an account, sign up at https://aws.amazon.com.
Basic knowledge of Python.
An identity provider (IAM Identity Center or one of the supported identity providers).
System with Python libraries to execute Python program.
Walkthrough
This automation project uses an excel sheet to source data for mapping permission sets and users/group to an account, organization unit (OU) or all the accounts in an OU. I recommend that you manage the IAM Identity Center identity on the group level as a best practice, every workforce user should be part of a group.
Main steps:
Step 1: Clone the GitHub repository.
Step 2: Update CSV file with required data.
Step 3: Update AWS account details in the program file.
Step 4: Install Python libraries for program execution.
Step 5: Execute Python Program.
Step 1: Clone the GitHub repository.
Clone URL:
https://github.com/blazeclan-akeshpatil/aws-iam-identity-center-ops-automation.git
Clone the GitHub repository to your local system. This repository contains example data files that you can use to update permission sets and users/groups to account(s). You can modify the example data with your own account IDs or OUs and resource names.
Step 2: Update CSV file with required data
This automation use CSV as a source of data and perform Identity center operations accordingly. You can find this CSV in the code at following path
file/Identity Center Access Management.xlsx
This CSV contains two worksheets.
- Data - This is master data of AWS Organization and includes following tables. Please refer following screen shot for your reference
Each table has a purpose in this sheet
Targets- Permission sets and users/groups can be associated with either specific
ACCOUNTor all the accounts in anOUOU Name - Values are in the form
OU_NAME[ORGANIZATION_UNIT_ID].ACCOUNTS - Values are in the form
ACCOUNT_NAME[ACCOUNT_NUMBER]OPERATIONS-
AddorUpdateorDelete
- Identity Map - This worksheet provides source data for this automation and accordingly permission sets and users/groups will be associated with AWS accounts on AWS Identity Center Please refer following screen shot for your understanding.
Here is the description to understand this CSV better
- Row 2 : Associate permissions set
AWSPowerUserto userabcd@example.comonSandboxOU - Row 3 : Associate permissions set
ReadOnlyAccessto groupAuditorsGrouponSandboxaccount - Row 4 : Associate permissions set
AdministratorAccessto groupAdministratorsGrouponALLaccounts in an organization except management account of an organization
Let's take another example to understand various functionalities of this automation
Here is the description of the above snippet to understand this automation much better
Row 2 - Delete association of user
abcd@example.comand permissions setAWSPowerUserfrom all the accounts inSandboxOURow 3 - Delete association of group
AuditorsGroupand permissions setReadOnlyUserfromSandboxaccountRow 4 - Associate permissions set
AuditorsPolicyand groupAuditorsGrouponALLaccounts in an organization except management account of an organization.
Please note, this program is stateless meaning it won't impact any other associations of permission sets and users/groups to AWS accounts. It just considers data from Excel sheet and perform associations/de-associations accordingly.
Step 3 - Update AWS account details in the program file
To execute this automation, we have to update AWS resource details in a configuration file. You can find this configuration file in the this code at path config/aws_properties.py
Please refer following snippet and the comments on each property for your reference
Step 4: Install Python libraries for program execution.
To install Python libraries, I have included requirements.txtin the code. You can find this file at root location in the source code. We need to install following libraries for successful execution of this program
1. boto3
2. pandas
3. awsretry
4. numpy
5. openpyxl
Assuming you can run pip command on your system, go to the project root directory and execute following command to install these libraries.
pip install -r requirements.txt
Step 5: Execute Python Program
Assuming that you have right credentials and system requirements to execute this code, update credentials in ~./aws/credentials file or if you are running it on Amazon EC2 then make sure that you have IAM role with sufficient permissions associated with the instance
To execute the program, go to root directory of the project and execute following command
python local_handler.py
This program print all the actions performed during execution and you can expects logs like below
Top comments (1)
Hi Akesh,
I am building a tool of similar capability to autoate identity center operations.
Do we need to update the excel sheet manually or it is taken care by the script?
Regards,
Santosh