I am working on setting up AWS SSO using Google Workspace as the identity provider. I would like to import all Google Workspace groups starting with the prefix "AWS" in my AWS SSO directory.
However, the filter I am using after consulting the official documentation here does not seem to work properly. Using 'name:AWS*' does not only return the groups that are prefixed with "AWS", but also all groups containing the string in their name. Is this the intended behavior? If so, how could I exclude the groups I do not want to be returned? Thanks
Related
In Google Workspace admin console, we can configure SSO for applications, and assign user groups to the application.
The group assignment can be checked using the following way:
https://support.google.com/a/answer/9050643?hl=en#step5&zippy=%2Csee-the-services-and-organizational-units-for-access-groups%2Cstep-check-service-access
Is there any api to retrieve this group assginment information?
I don't see any in Google Workspace Admin API.
Answer:
There's currently no API in Admin SDK that will retrieve this information.
Feature request:
If you're interested in this feature, I'd suggest you to request it on Issue Tracker using this template.
I have an application which allows OpenID Connect login. I need to be able to give the users admin/read-only access based on their roles or group membership. With Keycloak, I can configure the Client settings to include roles and groups in the JSON Web Key my application receives, and I can set up mappings within the application to assign the correct permissions to various roles or groups of users (depending on the mapping).
I'm surprised that I have not been able to find any clear answers to this mundane problem. Is nobody using Google in such a setup within their organization or am I missing something obvious?
I tried requesting various scopes related to groups or roles based on this document, but even though the consent page has changed to reflect this, the JWK did not contain any useful information.
How do I configure Google's authentication to return group membership or assigned roles in the token?
I don't think you can add more information to the ID Token that you get from Google. According to Google's OIDC discovery document, these are the claims that can be present in the ID token:
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
]
Apparently, an organization administrator can limit which claims do end up in the ID token, so you might get a subset of these.
You should be able to get information about the user's group from one of the myriad APIs that Google exposes. Not sure if Cloud Identity is the one you're after, but there is an endpoint that returns information about groups: https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships/get If that's not the one, I think you could search the scopes page that you linked, and you should find the relevant scope there. The scope will be tied to a concrete API and this will be the API that you have to call to get the user's groups, roles, etc.
I have a bunch of AWS SSO Groups I would like to list via the API so I can acquire the Name and GroupID. The API call ListGroups (https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_ListGroups.html) is pretty useless. It must filter on DisplayName and a value is currently required. As far as I could tell via the old AWS Forums, a wild card search and impartial searches are not allowed. I've tried them myself (impartial and wildcard) with the boto3 SDK and nope. Afterwards, I'd like to use the existing API calls to assign permissionsets to said groups.
AWS cannot be serious in that they don't have an API call to list the groups present?
aws identitystore list-group --identity-store-id=d-xxxxxxxx
I am doing a quick inventory of our service accounts within a particular GCP project and I want to find all the resources a specific service account has access to. This seems like it'd be a simple lookup, since a GCP policy is simply an Identity given a role on a particular resouce, however it doesn't seem like gcloud has this specific lookup... unless I'm missing something. I can find the service account/role combination via IAM or gcloud beta asset search-all-iam-policies but the final portion of the query seems to be missing.
To find all the resources authorized for a specific account, using the Cloud Asset Inventory is the good tool.
You can perform this kind of request
gcloud beta asset search-all-iam-policies \
--scope=<Where to search>
--query="policy:<who to search>"
The scope is in which perimeter you are looking for. It can be
organizations/<OrganisationNumber>
folders/<folderNumber>
projects/<ProjectNumber or ProjectID>
The query is what you search. Here a policy with a specific service account email. So, set it and launch the request.
Does it what you are looking for?
I am trying to retrieve all regions without needing the project name in the URL? I could not find the API.The equivalent CLI is "gcloud compute regions list".
do you know equivalent API URL?
Thanks
Kovi
I am trying to retrieve all regions without needing the project name
in the URL?
You will need your Project ID and sometimes the Project Number for most API operations. The Project Name is not used.
The Project ID is required as not all zones are available to all projects. This API returns the zones that your Project ID can access.
This API does not return all Google Cloud zones. Some zones are not available to you.
The equivalent CLI is "gcloud compute regions list". do you know
equivalent API URL?
The URL is:
https://compute.googleapis.com/compute/v1/projects/{project}/zones
The API documentation for this command is:
Compute Engine - Method: zones.list
The API documentation includes examples in a number of languages such as Python, Go, Java, etc.