MCPcopy Index your code
hub / github.com/awslabs/ssosync

github.com/awslabs/ssosync @v2.6.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v2.6.1 ↗ · + Follow
389 symbols 1,389 edges 28 files 96 documented · 25%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

SSO Sync

Github Action gopherbadger-tag-do-not-edit Go Report Card License Apache 2 AWS SDK v2 Taylor Swift Built with Kiro

Seamlessly synchronize Google Workspace users and groups to AWS IAM Identity Center

SSO Sync is a powerful CLI tool and AWS Lambda function that enables automatic provisioning of Google Workspace (formerly G Suite) users and groups into AWS IAM Identity Center (formerly AWS SSO). Built with Go and powered by AWS SDK v2, it provides reliable, scalable, and secure identity synchronization.

✨ Key Features

  • 🔄 Uni-directional Sync: Supports both groups and users_groups sync methods
  • 🎯 Advanced Filtering: Flexible user and group filtering with Google API query parameters
  • 🛡️ Dry-Run Mode: Test synchronization without making actual changes
  • ⚡ High Performance: Built with AWS SDK v2 for improved performance and reliability
  • 🔧 Multiple Deployment Options: CLI, AWS Lambda, or AWS SAM deployment
  • 📊 Comprehensive Logging: Structured logging with configurable levels and formats
  • 🔐 Secure: AWS Secrets Manager integration for credential management
  • 📈 Scalable: Supports large directories with user caching and pagination

🚀 Quick Start

Use one of the quick start templates to simplify the your deployment. Use these templates, with the Sync from Git option, to make updates to your deployment far simpler.

🚀 Step-by-Step Guide

Want to dive straight in? Try this hands-on lab from the AWS Control Tower Workshop. The lab guides you through the complete setup process for both AWS and Google Workspace using the recommended Lambda deployment from the AWS Serverless Application Repository.

Installation Options

Method Best For Setup Time
AWS Serverless App Repository Production use 5 minutes
CLI Binary Local testing, CI/CD 2 minutes
AWS SAM Custom deployments 10 minutes

Why?

As per the AWS SSO Homepage:

AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.

Key part further down:

With AWS SSO, you can create and manage user identities in AWS SSO's identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).

AWS SSO can use other Identity Providers as well... such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.

This project provides a CLI tool to pull users and groups from Google and push them into AWS SSO. ssosync deals with removing users as well. The heavily commented code provides you with the detail of what it is going to do.

⚠️ Important Notices

[!IMPORTANT] Region and IdentityStoreID are no longer configurable parameters. Region is extracted programmatically from the SCIM Endpoint URL, and IdentityStoreID is resolved automatically via the IAM Identity Center ListInstances API. These parameters are still present in template.yaml to avoid breaking deployment tooling for anyone passing a parameter file to the CloudFormation Stack. They will be fully removed in v3.x.

[!CAUTION] When using ssosync with an instance of IAM Identity Center integrated with AWS Control Tower. AWS Control Tower creates a number of groups and users (directly via the Identity Store API), when an external identity provider is configured these users and groups are can not be used to log in. However it is important to remember that because ssosync implemements a uni-directional sync it will make the IAM Identity Store match the subset of your Google Workspaces directory you specify, including removing these groups and users created by AWS Control Tower. There is a PFR #179 Configurable handling of 'manually created' Users/Groups in IAM Identity Center to implement an option to ignore these users and groups, hopefully this will be implemented in version 3.x. However, this has a dependancy on PFR #166 Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field, to be able to reliably and consistently disinguish between SCIM Provisioned users from Manually Created users

[!WARNING] There are breaking changes for versions >= 0.02

[!WARNING] >= 1.0.0-rc.5 groups to do not get deleted in AWS SSO when deleted in the Google Directory, and groups are synced by their email address

[!WARNING] >= 2.0.0 this makes use of the Identity Store API which means: * if deploying the lambda from the AWS Serverless Application Repository then it needs to be deployed into the IAM Identity Center delegated administration account. Technically you could deploy in the management account but we would recommend against this. * if you are running the project as a cli tool, then the environment will need to be using credentials of a user in the IAM Identity Center delegated administration account, with appropriate permissions.

[!WARNING] >= 2.1.0 make use of named IAM resources, so if deploying via CICD or IaC template will require CAPABILITY_NAMED_IAM to be specified.

[!IMPORTANT] >= 2.1.0 switched to using provided.al2 powered by ARM64 instances.

[!IMPORTANT] As of v2.2.0 multiple query patterns are supported for both Group and User matching, simply separate each query with a ,. For full sync of groups and/or users specify '*' in the relevant match field. User match and group match can now be used in combination with the sync method of groups. Nested groups will now be flattened into the top level groups. External users are ignored. Group owners are treated as regular group members. User details are now cached to reduce the number of api calls and improve execution times on large directories.

References

Installation

The recommended installation is: * Setup IAM Identity Center, in the management account of your organization * Created a linked account Identity Account from which to manage IAM Identity Center * Delegate administration to the Identity account * Deploy the SSOSync app from the AWS Serverless Application Repository

You can also: You can go get github.com/awslabs/ssosync or grab a Release binary from the release page. The binary can be used from your local computer, or you can deploy to AWS Lambda to run on a CloudWatch Event for regular synchronization.

⚙️ Configuration

SSO Sync requires configuration from both Google Workspace and AWS sides.

Google Workspace Setup

  1. Enable Admin SDK API
  2. Go to Google Cloud Console
  3. Select API & Services > Enable APIs and Services
  4. Search for Admin SDK and Enable the API

  5. Create Service Account

  6. Follow this delegation tutorial
  7. Save the JSON credentials file as credentials.json
  8. Grant domain-wide delegation with these scopes:

    • https://www.googleapis.com/auth/admin.directory.group.readonly
    • https://www.googleapis.com/auth/admin.directory.group.member.readonly
    • https://www.googleapis.com/auth/admin.directory.user.readonly
  9. Specify Admin User

  10. You'll need the email address of a Google Workspace admin user

AWS Setup

  1. Enable IAM Identity Center
  2. Go to AWS IAM Identity Center console
  3. Select Settings → Enable automatic provisioning
  4. Copy the SCIM Endpoint URL and Access Token

  5. AWS Credentials

  6. Configure AWS credentials using any standard method:
    • AWS credentials file (~/.aws/credentials)
    • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
    • IAM roles (for Lambda deployment)
  7. The executing role needs permissions for sso:ListInstances to auto-detect the Identity Store ID

🚀 Usage

CLI Usage

./ssosync --help

Basic Example

./ssosync \
  --google-admin admin@company.com \
  --google-credentials ./credentials.json \
  --endpoint https://scim.us-east-1.amazonaws.com/... \
  --access-token AQoDYXdzE... \
  --group-match "name:AWS*"

Advanced Examples

# Sync specific groups with dry-run
./ssosync \
  --group-match "name:Engineering*,email:aws-*" \
  --sync-method groups \
  --dry-run \
  --log-level debug

# Sync all users and groups
./ssosync \
  --user-match "*" \
  --group-match "*" \
  --sync-method users_groups

# Ignore specific users/groups
./ssosync \
  --group-match "*" \
  --ignore-users "service@company.com,bot@company.com" \
  --ignore-groups "temp-group@company.com"

Environment Variables

All CLI flags can be set via environment variables with the SSOSYNC_ prefix:

export SSOSYNC_GOOGLE_ADMIN="admin@company.com"
export SSOSYNC_GOOGLE_CREDENTIALS="./credentials.json"
export SSOSYNC_SCIM_ENDPOINT="https://scim.us-east-1.amazonaws.com/..."
export SSOSYNC_SCIM_ACCESS_TOKEN="AQoDYXdzE..."
export SSOSYNC_GROUP_MATCH="name:AWS*"
export SSOSYNC_DRY_RUN="true"

Configuration Options

Flag Environment Variable Description Default
--google-admin SSOSYNC_GOOGLE_ADMIN Google Workspace admin email Required
--google-credentials SSOSYNC_GOOGLE_CREDENTIALS Path to Google credentials JSON credentials.json
--customer-id SSOSYNC_CUSTOMER_ID Google Workspace customer ID my_customer
--endpoint SSOSYNC_SCIM_ENDPOINT AWS SCIM endpoint URL Required
--access-token SSOSYNC_SCIM_ACCESS_TOKEN AWS SCIM access token Required
--sync-method SSOSYNC_SYNC_METHOD Sync method (`g

Extension points exported contracts — how you extend this code

IdentityStoreAPI (Interface)
IdentityStoreAPI defines the interface for the AWS Identity Store API methods used in the application [2 implementers]
internal/interfaces/interfaces.go
SyncGSuite (Interface)
SyncGSuite is the interface for synchronizing users/groups [1 implementers]
internal/sync.go
Client (Interface)
Client represents an HTTP client interface
internal/http/client.go
Client (Interface)
Client is the Interface for the Client
internal/google/client.go
Client (Interface)
Client represents an interface of methods used to communicate with AWS SSO
internal/aws/client.go
IdentityStorePaginators (Interface)
(no doc)
internal/interfaces/interfaces.go
IdentityStorePaginatedAPI (Interface)
(no doc)
internal/interfaces/interfaces.go
ListUsersPaginator (Interface)
(no doc)
internal/interfaces/interfaces.go

Core symbols most depended-on inside this repo

Error
called by 123
internal/aws/client.go
Do
called by 60
internal/http/client.go
NewClient
called by 56
internal/aws/client.go
FindUserByEmail
called by 17
internal/aws/client.go
GetUsers
called by 16
internal/google/client.go
GetGroups
called by 13
internal/google/client.go
NewDryClient
called by 13
internal/aws/client_dry.go
NewDryIdentityStore
called by 12
internal/aws/identitystore_dry.go

Shape

Function 205
Method 142
Struct 30
Interface 10
TypeAlias 2

Languages

Go100%

Modules by API surface

internal/aws/client_test.go96 symbols
internal/aws/client.go51 symbols
internal/sync.go30 symbols
internal/interfaces/interfaces.go26 symbols
internal/sync_test.go24 symbols
internal/aws/client_dry.go20 symbols
internal/google/client_test.go16 symbols
internal/google/client.go15 symbols
cmd/root.go15 symbols
internal/aws/identitystore_dry.go13 symbols
internal/interfaces/schema.go11 symbols
internal/aws/identitystore/identitystore.go11 symbols

For agents

$ claude mcp add ssosync \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact