MCPcopy Index your code
hub / github.com/aws-samples/aws-iam-identity-center-extensions

github.com/aws-samples/aws-iam-identity-center-extensions @v3.1.9

Chat with this repo
repository ↗ · DeepWiki ↗ · release v3.1.9 ↗ · + Follow
228 symbols 555 edges 75 files 2 documented · 1%

Browse by type

Functions 121 Types & classes 107
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

AWS IAM Identity Center Extensions For Enterprise

Table of Contents

Overview

High level design

AWS IAM Identity Center Extensions for Enterprise simplifies the process to manage user access to AWS accounts with AWS IAM Identity Center by extending the AWS IAM Identity Center API.

Instead of separately managing AWS IAM Identity Center permission sets and account assignments, you can use this solution to describe permission sets with one API call per set. Like with permission sets, you can also define and implement account assignments at a global level, an organizational unit level or an account tag level. The solution ensures your defined permissions are rolled out across the entire AWS Organization, and that they are updated as you change your organization.

This solution can be used by your identity and access management team to simplify user access provisioning at scale, either via a RESTFul API or by defining and setting objects with your permissions descriptions in an S3 bucket. This enables you to integrate with upstream identity management systems you have in your organization.

Get started with the deployment!

Features

The Composite Permission Set API

This solution provides a composite API for managing permission set lifecycles, allowing you to:

  • Create a permission set object including attributes and policies in a single call
  • Update parts or all of a permission set object in a single call with a friendly name
  • Delete a complete permission set in a single call with a friendly name
  • Based on a configuration parameter, use either an S3 based interface or a RESTful API to upload permission set object as a whole
  • Enforce the "cannot delete" constraint when a permission set is being referenced in an account assignment

Example payload to create a permission set

{
  "action": "create",
  "permissionSetData": {
    "permissionSetName": "CloudOperator-ps",
    "sessionDurationInMinutes": "240",
    "relayState": "https://{{region}}.console.aws.amazon.com/console/home?region={{region}}#",
    "tags": [
      {
        "Key": "versionid",
        "Value": "01"
      },
      {
        "Key": "team",
        "Value": "CloudOperators"
      }
    ],
    "managedPoliciesArnList": [
      "arn:aws:iam::aws:policy/job-function/SystemAdministrator",
      "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
    ],
    "inlinePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "iam:AddRoleToInstanceProfile",
            "iam:CreateInstanceProfile",
            "iam:CreatePolicy",
            "iam:CreatePolicyVersion",
            "iam:DeleteInstanceProfile",
            "iam:DeletePolicy",
            "iam:DeleteRole",
            "iam:PassRole",
            "iam:UpdateRole",
            "iam:DeleteRolePermissionsBoundary",
            "iam:UpdateRoleDescription",
            "iam:RemoveRoleFromInstanceProfile"
          ],
          "Resource": [
            "arn:aws:iam::*:role/Application_*",
            "arn:aws:iam::*:policy/Application_*",
            "arn:aws:iam::*:instance-profile/Application_*"
          ],
          "Effect": "Allow",
          "Sid": "AllowOtherIAMActions"
        },
        {
          "Action": ["iam:List*", "iam:Generate*", "iam:Get*", "iam:Simulate*"],
          "Resource": "*",
          "Effect": "Allow",
          "Sid": "AllowReadIAMActions"
        }
      ]
    },
    "customerManagedPoliciesList": [
      {
        "Name": "cmp-1",
        "Path": "/cmp/1/"
      },
      {
        "Name": "cmp-2",
        "Path": "/cmp/2/"
      },
      {
        "Name": "cmp-3"
      }
    ],
    "permissionsBoundary": {
      "ManagedPolicyArn": "arn:aws:iam::aws:policy/job-function/NetworkAdministrator"
    }
  }
}

Example payload to update a permission set

{
  "action": "update",
  "permissionSetData": {
    "permissionSetName": "CloudOperator-ps",
    "sessionDurationInMinutes": "420",
    "relayState": "https://{{region}}.console.aws.amazon.com/console/home?region={{region}}#",
    "tags": [
      {
        "Key": "versionid",
        "Value": "02"
      },
      {
        "Key": "team",
        "Value": "CloudOperators"
      }
    ],
    "managedPoliciesArnList": [
      "arn:aws:iam::aws:policy/job-function/SystemAdministrator",
      "arn:aws:iam::aws:policy/job-function/NetworkAdministrator",
      "arn:aws:iam::aws:policy/AWSHealthFullAccess"
    ],
    "inlinePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": ["iam:List*", "iam:Generate*", "iam:Get*", "iam:Simulate*"],
          "Resource": "*",
          "Effect": "Allow",
          "Sid": "AllowReadIAMActions"
        }
      ]
    },
    "customerManagedPoliciesList": [
      {
        "Name": "cmp-1",
        "Path": "/cmp/1/"
      },
      {
        "Name": "cmp-2",
        "Path": "/cmp/2/"
      },
      {
        "Name": "cmp-3"
      }
    ],
    "permissionsBoundary": {
      "CustomerManagedPolicyReference": {
        "Name": "cmp-pb",
        "Path": "/cmp/pb/"
      }
    }
  }
}

Example payload to delete a permission set

{
  "action": "delete",
  "permissionSetData": {
    "permissionSetName": "CloudOperator-ps"
  }
}

Enterprise friendly account assignment life cycle

This solution enables enterprise friendly account assignment lifecycles through the following features:

  • Using users/groups as the mechanism for the principal type
  • Friendly names for users/groups and permission sets when creating account assignments
  • Based on the configuration parameter, you can use either an S3 based interface/ Rest API interface to create/delete account assignments
  • Create & delete account assignments with scope set to account, root, ou_id or account_tag
  • Using the entity value passed in the payload, the solution calculates the account list and processes the account assignment operations on all the accounts automatically
  • When using an ou_id scope type, the solution optionally provides nested OU support as well. This behaviour could be configured by setting SupportNestedOU to true in your environment configuration file. When configured, the solution discovers all the children under a specified ou_id traversing the complete tree and assigning the account assignment to every single account under the tree.

NOTE: Permission sets and user/group assignments cannot be applied to the Organization Main account (also known as the Master Payer) due to a design constraint of the AWS API. There is no available mechanism to programmatically manage the permission sets and user/group assignments of the Organization Main account.

Example payload to provision permission set CloudOperator-ps for all accounts in your organization and provide access to team-CloudOperators user group

{
  "action": "create",
  "linkData": "root%all%CloudOperator-ps%team-CloudOperators%GROUP%ssofile"
}

Example payload to provision permission set SecurityAuditor-ps for all accounts in your organization unit with ID ou-id12345 and provide access to team-SecurityAuditors user group

{
  "action": "create",
  "linkData": "ou_id%ou-id12345%SecurityAuditor-ps%team-SecurityAuditors%GROUP%ssofile"
}

Example payload to provision permission set DataScientist-ps for all accounts that have tagkey team set to value DataScientists and provide access to team-DataScientists user group

{
  "action": "create",
  "linkData": "account_tag%team^DataScientists%DataScientist-ps%team-DataScientists%GROUP%ssofile"
}

Example payload to provision permission set Billing-ps for account 123456789012 and provide access to team-Accountants user group

{
  "action": "create",
  "linkData": "account%123456789012%Billing-ps%team-Accountants%GROUP%ssofile"
}

Example payload to provision permission set Breakglass-ps for all accounts in your organization and provide access to break-glass user

{
  "action": "create",
  "linkData": "root%all%Breakglass-ps%break-glass%USER%ssofile"
}

Automated access change management for root, ou_id and account_tag scopes

The solution provides automated change access management through the following features:

  • If an account assignment has been created through the solution with scope set to root, and if a new account has been created at a later time, this new account is automatically provisioned with the account assignment.
  • If an account assignment has been created through the solution with scope set to ou_id, and an existing account moves out of this ou, this account assignment is automatically deleted from the account by the solution. If a new account is moved in to the ou, this account assignment is automatically created for the account by the solution.
  • The solution also supports nested OU behaviour for automated access change management. This behaviour could be configured by setting SupportNestedOU to true in your environment configuration file. If the nested OU support is configured, when an account moves from a source OU to a destination OU, the solution discovers all the parents of the source OU and destination OU until root , to determine the list of account assignments that need to be removed/added automatically.
  • If an account assignment has been created through the solution with scope set to account_tag, and an account is updated with this tag key value at a later time, this account assignment is automatically created for the new account by the solution. Additionally, when this tag key value is removed from the account/when this tag key is updated to a different value on the account at a later time, this account assignment is automatically deleted from the account by the solution.

Import existing AWS IAM Identity Center access entitlements for management through the solution

  • The solution enables a one-time import of existing AWS IAM Identity Center access entitlements for management through the solution
  • Based on the ImportCurrentSSOConfiguration flag in the configuration file, the solution would import all existing permission sets and account assignments so that they could be updated/deleted through the solution interfaces
  • The solution ensures that all related attributes of permission sets/account assignments are imported in a format that would allow you to manage them through the solution interfaces
  • All account assignments would be imported as account scope types
  • While the solution triggers an automatic import one-time through the pipeline, once enabled the env-importCurrentConfigSM state machine in your AWS IAM Identity Center account and AWS IAM Identity Center region could be run as many times as you require. You could refer to the execution input that the solution uses as part of the pipeline deployment for reference.

De-couple life cycle management of different SSO objects and other features

  • The solution enables de-coupling creation of permission sets , user groups and account assignment operations completely. They could be created in any sequence, thereby enabling enterprise teams to handle these objects lifecycles through different workflow process that align to their needs, and the solution would handle the target state appropriately
  • The solution enables usage of friendly names in managing permission set, account assignment life cycles and would handle the translation of friendly names into internal AWS IAM Identity Center GUID's automatically

Extension points exported contracts — how you extend this code

Core symbols most depended-on inside this repo

Shape

Function 86
Class 70
Interface 35
Method 35
Enum 2

Languages

TypeScript100%

Modules by API surface

lib/lambda-functions/helpers/src/interfaces.ts23 symbols
lib/lambda-functions/helpers/src/utilities.ts11 symbols
lib/stacks/pipeline/pipeline-stages.ts10 symbols
lib/lambda-functions/helpers/src/isoDurationUtility.ts8 symbols
bin/aws-sso-extensions-for-enterprise.ts8 symbols
test/aws-sso-extensions-for-enterprise.ts6 symbols
lib/stacks/region-switch/aws-sso-extensions-region-switch-discover.ts4 symbols
lib/stacks/region-switch/aws-sso-extensions-region-switch-deploy.ts4 symbols
lib/stacks/pipelineStageStacks/upgrade-to-v303.ts4 symbols
lib/stacks/pipelineStageStacks/sso-import-artefacts-part2.ts4 symbols
lib/stacks/pipelineStageStacks/sso-import-artefacts-part1.ts4 symbols
lib/stacks/pipelineStageStacks/sso-events-processor.ts4 symbols

For agents

$ claude mcp add aws-iam-identity-center-extensions \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page