Is there a way to interact with the AWS SSO service using the AWS-SDK?
https://aws.amazon.com/single-sign-on/
I am just looking for programmatic access to AWS SSO - with the AWS CLI or with the SDK or anything really.
Unfortunately there isn't. There is however an open issue on the AWS CLI for this - go there and upvote, that's probably the only way to make this happen.
https://github.com/aws/aws-cli/issues/3447
4/21/2021: Take a look at the AWS SSO documentation. There is now an API to manage permission sets and assigning them to users: https://docs.aws.amazon.com/singlesignon/latest/APIReference/welcome.html
Here's the blog on this feature that supports this API:
https://aws.amazon.com/blogs/security/use-new-account-assignment-apis-for-aws-sso-to-automate-multi-account-access/:
"AWS SSO recently added new account assignment APIs and AWS CloudFormation support to automate access assignment across AWS Organizations accounts. This release addressed feedback from our customers with multi-account environments who wanted to adopt AWS SSO, but faced challenges related to managing AWS account permissions. To automate the previously manual process and save your administration time, you can now use the new AWS SSO account assignment APIs, or AWS CloudFormation templates, to programmatically manage AWS account permission sets in multi-account environments.
With AWS SSO account assignment APIs, you can now build your automation that will assign access for your users and groups to AWS accounts. You can also gain insights into who has access to which permission sets in which accounts across your entire AWS Organizations structure."
I would like to share this tool that I did using docker. https://hub.docker.com/r/javiortizmol/aws_sso_magic
The image contains:
aws cli v2.
Python 3.9.
aws-sso-magic
Or just install it from pypi.org https://pypi.org/project/aws-sso-magic/
Related
Looking at this guide:
https://aws.amazon.com/blogs/security/use-new-account-assignment-apis-for-aws-sso-to-automate-multi-account-access/
It only shows how to assign permission sets to already existing users. Also looking at the cloudformation documentation, it does not mention anything about users.
Is there a way to create aws sso users via cloudformation or cdk?
Sadly this is not yet supported. AWS docs say that in future such support should be added, at least to AWS API, which then you could use from custom resources in CloudFormation:
Future updates to AWS SSO Identity Store APIs, including additions for creation and modification of users and groups, will be documented in this reference as they are released.
If you are looking for Infrastructure as Code you can use Terraform and Boto3 to create SSO users.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html#client
I was wondering if I could use AWS organisation and AWS SSO to provide access to AWS services to someone without an AWS account.
Is it possible using the above mentioned services or some other way?
AWS SSO could be used which would utilise the credentials of whatever Identity Provider you can connect to SSO i.e. OKTA/Active Directory etc.
With that setup an AWS account would not be provided as their access would be assumed through a permission set/role you create, and they can consume AWS services
https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html
My goal is to use Okta SSO integrated with AWS SSO to integrate all user Sign-in and permission management for AWS resources from the Okta, using accounts configured on Okta.
I also want it so that each user on Okta has their own Amazon Workspace Windows instance using their Okta credentials.
I currently have a Simple AD (Directory Service) configured on the AWS account, exclusively for Amazon Workspaces access.
Is this a possible goal that can be achieved using OKta, AWS SSO and Directory Service? After going through each of their documentations I am still not clear if these services have the capability to integrate this way.
Any Advice would be appreciated.
There are two topics in this question.
AWS SSO:
There is a standard integration in the AWS Documentation.
https://docs.aws.amazon.com/singlesignon/latest/userguide/okta-idp.html
AWS WorkSpaces:
You mentioned that you use currently SimpleAD, in case you want to switch the IdP for your WorkSpaces you should be aware that you need to re-provision the WorkSpaces. I've not as much experience with OKTA, but I think there are two options.
In case you've already a Active Directory you should be able to integrate it with WorkSpaces (AD Connector or AWS Managed AD with forest trust)
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_tutorial_setup_trust.html
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html
In case there is no pre-existing AD, you should be able to sync the users with a AWS Managed AD.
https://help.okta.com/en/prod/Content/Topics/Directory/ad-agent-integrate-existing.htm
OKTA MFA integration for WorkSpaces:
https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-okta-mfa-with-amazon-workspaces/
I'm working with AWS. Specifically, I have an AWS Educate account with $ 100 free. When I go to the AWS Organizations service, I get a message saying: you don't have permission to access this resource. I've tried to add a full organization permission to the user, but I still have the same error.
Furthermore, I use the EMR cluster and the S3 bucket.
Anyone could help me?
AWS Organizations is one of the services that are not supported in AWS Educate Starter Accounts. Please refer to this document to learn about supported services.
If you want to use AWS Organizations, you can create a regular AWS account here. You can have as many accounts as you want (in fact, that’s something that AWS Organization helps you with: Multi-account management).
We have multiple AWS accounts (about 15-20), one AWS account per client that we are managing, each account having VPC having dedicated setup of instances. Due to regulatory requirements all accounts needs to be isolated from each other.
What is the best way to manage account credentials for these AWS accounts? Following is what I am thinking
-For any new client
Create a new AWS account
Create AWS IAM roles (admin, developer,
tester) for newly created account using cloudformation
Using master
AWS account, assume roles created in step 2 to access other
accounts.
Is this the right approact to manage multiple accounts?
Thanks in advance.
Facilitating IAM Roles is a very common and (I think) the right approach to manage authentication for multiple accounts indeed, AWS has just recently released resp. updates that greatly help with this, see Cross-Account Access in the AWS Management Console:
Many AWS customers use separate AWS accounts (usually in conjunction with Consolidated Billing) for their development and production resources. This separation allows them to cleanly separate different types of resources and can also provide some security benefits.
Today we are making it easier for you to work productively within a multi-account (or multi-role) AWS environment by making it easy for you to switch roles within the AWS Management Console. You can now sign in to the console as an IAM user or via federated Single Sign-On and then switch the console to manage another account without having to enter (or remember) another user name and password.
Please note that this doesn't just work for the AWS Management Console, but also with the AWS Command Line Interface (AWS CLI), as greatly explored/explained in by Mitch Garnaat in Switching Roles in the AWS Management Console and AWSCLI.
Furthermore, Mitch has followed up with a dedicated new tool 'rolemodel' to help with setting things up pretty much like you outlined, which you might want to evaluate accordingly:
Rolemodel is a command line tool that helps you set up and maintain cross-account IAM roles for the purpose of using them in the new switch role capability of the AWS management console. These same cross-account roles can also be used with the AWSCLI as described here.