Repository files navigation

Helping you populate AWS SSO directly with your Google Apps users

SSO Sync will run on any platform that Go can build for. It is available in theAWS Serverless Application Repository

⚠️ there are breaking changes for versions>= 0.02

⚠️>= 1.0.0-rc.5 groups to do not get deleted in AWS SSO when deleted in the Google Directory, and groups are synced by their email address

⚠️>= 2.0.0 this makes use of theIdentity Store API which means:

• if deploying the lambda from theAWS Serverless Application Repository then it needs to be deployed into theIAM Identity Center delegated administration account. Technically you could deploy in the management account but we would recommend against this.
• if you are running the project as a cli tool, then the environment will need to be using credentials of a user in theIAM Identity Center delegated administration account, with appropriate permissions.

As per theAWS SSO Homepage:

AWS Single Sign-On (SSO) makes it easy to centrally manage accessto multiple AWS accounts and business applications and provide userswith single sign-on access to all their assigned accounts and applicationsfrom one place.

Key part further down:

With AWS SSO, you can create and manage user identities in AWS SSO’sidentity store, or easily connect to your existing identity source includingMicrosoft Active Directory andAzure Active Directory (Azure AD).

AWS SSO can use other Identity Providers as well... such as Google Apps for Domains. Although AWS SSOsupports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.

This project provides a CLI tool to pull users and groups from Google and push them into AWS SSO.ssosync deals with removing users as well. The heavily commented code provides you with the detail ofwhat it is going to do.

• SCIM Protocol RFC
• AWS SSO - Connect to Your External Identity Provider
• AWS SSO - Automatic Provisioning
• AWS IAM Identity Center - Identity Store API

The recommended installation is:

• Setup IAM Identity Center, in the management account of your organization
• Created a linked accountIdentity Account from which to manage IAM Identity Center
• Delegate administration to the `Identity' account
• Deploy theSSOSync app from the AWS Serverless Application Repository

You can also:You cango get github.com/awslabs/ssosync or grab a Release binary from the release page. The binarycan be used from your local computer, or you can deploy to AWS Lambda to run on a CloudWatch Eventfor regular synchronization.

You need a few items of configuration. One side from AWS, and the otherfrom Google Cloud to allow for API access to each. You should have configuredGoogle as your Identity Provider for AWS SSO already.

You will need the files produced by these steps for AWS Lambda deployment as wellas locally running the ssosync tool.

First, you have to setup your API. In the project you want to use go to theConsole and selectAPI & Services >Enable APIs and Services. Search forAdmin SDK andEnable the API.

You have to perform thistutorial to create a service account that you use to sync your users. Save theJSON file you create during the process and rename it tocredentials.json.

you can also use the--google-credentials parameter to explicitly specify the file with the service credentials. Please, keep this file safe, or store it in the AWS Secrets Manager

In the domain-wide delegation for the Admin API, you have to specify the following scopes for the user.

• https://www.googleapis.com/auth/admin.directory.group.readonly
• https://www.googleapis.com/auth/admin.directory.group.member.readonly
• https://www.googleapis.com/auth/admin.directory.user.readonly

Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services".In the Search box typeAdmin and select theAdmin SDK option. Click theEnable button.

You will have to specify the email address of an admin via--google-admin to assume this users role in the Directory.

Go to the AWS Single Sign-On console in the region you have set up AWS SSO and selectSettings. ClickEnable automatic provisioning.

A pop up will appear with URL and the Access Token. The Access Token will only appearat this stage. You want to copy both of these as a parameter to thessosync command.

Or you specific these as environment variables.

SSOSYNC_SCIM_ACCESS_TOKEN=<YOUR_TOKEN>SSOSYNC_SCIM_ENDPOINT=<YOUR_ENDPOINT>

Additionally, authenticate your AWS credentials. Follow thissection to create a Shared Credentials File in the home directory or export your Credentials with Environment Variables. Ensure that the default credentials are for the AWS account you intended to be synced.

To obtain yourIdentity store ID, go to the AWS Identity Center console and select settings. Under theIdentity Source section, copy theIdentity store ID.

git clone https://github.com/awslabs/ssosync.gitcd ssosync/make go-build

./ssosync --help

Acommand line tool toenable you to synchronise your GoogleApps (Google Workspace) users to AWS Single Sign-on (AWS SSO)Complete documentation is available at https://github.com/awslabs/ssosyncUsage:  ssosync [flags]Flags:  -t, --access-token string         AWS SSO SCIM API Access Token  -d, --debugenable verbose / debug logging  -e, --endpoint string             AWS SSO SCIM API Endpoint  -u, --google-admin string         Google Workspace admin user email  -c, --google-credentials string   path to Google Workspace credentials file (default"credentials.json")  -g, --group-match string          Google Workspace Groups filter query parameter, example:'name:Admin* email:aws-*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-groups  -h, --helphelpfor ssosync      --ignore-groups strings       ignores these Google Workspace groups      --ignore-users strings        ignores these Google Workspace users      --include-groups strings      include only these Google Workspace groups, NOTE: only works when --sync-method'users_groups'      --log-format string           log format (default"text")      --log-level string            log level (default"info")  -s, --sync-method string          Sync method to use (users_groups|groups) (default"groups")  -m, --user-match string           Google Workspace Users filter query parameter, example:'name:John* email:admin*', see: https://developers.google.com/admin-sdk/directory/v1/guides/search-users  -v, --version                     versionfor ssosync  -r, --region                      AWS region where identity store exists  -i, --identity-store-id           AWS Identity Store ID

The function hastwo behaviour and these are controlled by the--sync-method flag, this behavior could be

1. groups:(default) The sync procedure work base on Groups, gets the Google Workspace groups and their members, then creates in AWS SSO the users (members of the Google Workspace groups), then the groups and at the end assign the users to their respective groups.
2. users_groups:(original behavior, previous versions) The sync procedure is simple, gets the Google Workspace users and creates these in AWS SSO Users; then gets Google Workspace groups and creates these in AWS SSO Groups and assigns users to belong to the AWS SSO Groups.

Flags Notes:

• --include-groups only works when--sync-method isusers_groups
• --ignore-users works for both--sync-method values. Example:--ignore-users user1@example.com,user2@example.com orSSOSYNC_IGNORE_USERS=user1@example.com,user2@example.com
• --ignore-groups works for both--sync-method values. Example: --ignore-groupsgroup1@example.com,group1@example.comorSSOSYNC_IGNORE_GROUPS=group1@example.com,group1@example.com`
• --group-match works for both--sync-method values and also in combination with--ignore-groups and--ignore-users. This is the filter query passed to theGoogle Workspace Directory API when search Groups, if the flag is not used, groups are not filtered.
• --user-match works for both--sync-method values and also in combination with--ignore-groups and--ignore-users. This is the filter query passed to theGoogle Workspace Directory API when search Users, if the flag is not used, users are not filtered.

NOTES:

1. Depending on the number of users and groups you have, maybe you can getAWS SSO SCIM API rate limits errors, and more frequently happens if you execute the sync many times in a short time.
2. Depending on the number of users and groups you have,--debug flag generate too much logs lines in your AWS Lambda function. So test it in locally with the--debug flag enabled and disable it when you use a AWS Lambda function.

NOTE: Using Lambda may incur costs in your AWS account. Please make sure you have checkedthe pricing for AWS Lambda and CloudWatch before continuing.

Running ssosync once means that any changes to your Google directory will not appear inAWS SSO. To sync. regularly, you can run ssosync via AWS Lambda.

⚠️ You find it in theAWS Serverless Application Repository.

You can use the AWS Serverless Application Model (SAM) to deploy this to your account.

Please, install theAWS SAM CLI andGoReleaser.

Specify an Amazon S3 Bucket for the upload withexport S3_BUCKET=<YOUR_BUCKET>.

Executemake package in the console. Which will package and upload the function to the bucket. You can then use thepackaged.yaml to configure and deploy the stack inAWS CloudFormation Console.

Build

aws cloudformation validate-template --template-body  file://template.yaml1>/dev/null&&sam validate&&sam build

Deploy

sam deploy --guided

Apache-2.0