Accelerate and Automate AWS IAM Identity Center Operations using Python.

blazeclan-akeshpatil — Wed, 05 Apr 2023 16:32:10 +0000

We all know that AWS IAM Identity Center (successor to AWS Single Sign-On) helps us securely create or connect workforce identities and manage their access centrally across AWS accounts and applications. IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. In my career, I have seen customers having multi-account landing zone setup including 100+ AWS accounts and most of them used AWS IAM Identity Center to manage access to all these AWS accounts. While helping customers to manage IAM Identity Center, I found that if I need to associate new permissions set to all the accounts, I have to traverse through each and every OU, select individual AWS account in an OU and assign permissions set to the account. Using Click-Ops this is very difficult for the team who is managing Identity Center operations. This is where I found an opportunity to automate this process and, hence posting this blog.

AWS Services Used

AWS Identity Center (successor to AWS Single Sign-On)
AWS Organizations

Getting Started

Before we understand this automation, let's understand the steps involved in managing access through AWS Identity Center. I am assuming that you have completed AWS Identity Center setup, if not then please go through these
Pre-requisites and considerations

Prerequisites

An AWS account with AWS Organizations enabled. If you don’t have an account, sign up at https://aws.amazon.com.
Basic knowledge of Python.
IAM Identity Center prerequisites.
An identity provider (IAM Identity Center or one of the supported identity providers).
System with Python libraries to execute Python program.

Walkthrough

This automation project uses an excel sheet to source data for mapping permission sets and users/group to an account, organization unit (OU) or all the accounts in an OU. I recommend that you manage the IAM Identity Center identity on the group level as a best practice, every workforce user should be part of a group.

Main steps:

Step 1: Clone the GitHub repository.
Step 2: Update CSV file with required data.
Step 3: Update AWS account details in the program file.
Step 4: Install Python libraries for program execution.
Step 5: Execute Python Program.

Step 1: Clone the GitHub repository.
Clone URL:
https://github.com/blazeclan-akeshpatil/aws-iam-identity-center-ops-automation.git

Clone the GitHub repository to your local system. This repository contains example data files that you can use to update permission sets and users/groups to account(s). You can modify the example data with your own account IDs or OUs and resource names.

Step 2: Update CSV file with required data
This automation use CSV as a source of data and perform Identity center operations accordingly. You can find this CSV in the code at following path
file/Identity Center Access Management.xlsx
This CSV contains two worksheets.

Data - This is master data of AWS Organization and includes following tables. Please refer following screen shot for your reference

Each table has a purpose in this sheet

Targets- Permission sets and users/groups can be associated with either specific ACCOUNT or all the accounts in an OU
OU Name - Values are in the form OU_NAME[ORGANIZATION_UNIT_ID].
ACCOUNTS - Values are in the form ACCOUNT_NAME[ACCOUNT_NUMBER]
OPERATIONS- Add or Update or Delete

Identity Map - This worksheet provides source data for this automation and accordingly permission sets and users/groups will be associated with AWS accounts on AWS Identity Center Please refer following screen shot for your understanding.

Here is the description to understand this CSV better

Row 2 : Associate permissions set AWSPowerUser to user abcd@example.com on Sandbox OU
Row 3 : Associate permissions set ReadOnlyAccess to group AuditorsGroup on Sandbox account
Row 4 : Associate permissions set AdministratorAccess to group AdministratorsGroup on ALL accounts in an organization except management account of an organization

Let's take another example to understand various functionalities of this automation

Here is the description of the above snippet to understand this automation much better

Row 2 - Delete association of user abcd@example.com and permissions set AWSPowerUser from all the accounts in Sandbox OU
Row 3 - Delete association of group AuditorsGroup and permissions set ReadOnlyUser from Sandbox account
Row 4 - Associate permissions set AuditorsPolicy and group AuditorsGroup on ALL accounts in an organization except management account of an organization.

Please note, this program is stateless meaning it won't impact any other associations of permission sets and users/groups to AWS accounts. It just considers data from Excel sheet and perform associations/de-associations accordingly.

Step 3 - Update AWS account details in the program file
To execute this automation, we have to update AWS resource details in a configuration file. You can find this configuration file in the this code at path config/aws_properties.py
Please refer following snippet and the comments on each property for your reference

Step 4: Install Python libraries for program execution.
To install Python libraries, I have included requirements.txtin the code. You can find this file at root location in the source code. We need to install following libraries for successful execution of this program

1. boto3
2. pandas
3. awsretry
4. numpy
5. openpyxl

Assuming you can run pip command on your system, go to the project root directory and execute following command to install these libraries.

pip install -r requirements.txt

Step 5: Execute Python Program
Assuming that you have right credentials and system requirements to execute this code, update credentials in ~./aws/credentials file or if you are running it on Amazon EC2 then make sure that you have IAM role with sufficient permissions associated with the instance
To execute the program, go to root directory of the project and execute following command

python local_handler.py

This program print all the actions performed during execution and you can expects logs like below

Forem: blazeclan-akeshpatil

Accelerate and Automate AWS IAM Identity Center Operations using Python.

AWS Services Used

Getting Started

Prerequisites

Walkthrough