Login
February 10, 2025|
Voiced by Amazon Polly |
Overview
In today’s cloud-first world, managing access to resources efficiently and securely is one of the most critical aspects of cloud infrastructure. AWS IAM Identity Center (formerly AWS Single Sign-On) simplifies managing user identities and permissions across AWS environments.
This blog provides a step-by-step guide to automating the AWS IAM Identity Center using AWS CDK, offering a scalable and efficient solution.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Prerequisites
Before starting, make sure you have the following installed and set up on your local machine:
- Python 3.x (We will use Python for the AWS CDK project).
- AWS CDK (Install using npm install -g aws-cdk).
- AWS CLI (To configure your AWS credentials).
- AWS Account with appropriate permissions to create AWS IAM roles, Identity Store, and AWS SSO configurations.
AWS CDK Basics
The AWS Cloud Development Kit (CDK) is an open-source software development framework to model and provision cloud resources using familiar programming languages like Python, TypeScript, or Java.
- Setting Up a Basic AWS CDK Project
- Create a new AWS CDK project:
Open your terminal and run the following command to initialize a new Python AWS CDK project:
|
1 2 3 |
mkdir iam-identity-center-cdk cd iam-identity-center-cdk cdk init app --language python |
2. Install dependencies:
The AWS CDK uses AWS-specific libraries for resource provisioning. Install the required libraries:
|
1 |
pip install aws-cdk-lib constructs boto3 |
3. Bootstrapping the environment:
Bootstrapping sets up resources needed for the AWS CDK to deploy stacks in your account. Run:
|
1 |
cdk bootstrap |
4. Write your first CDK stack:
You’ll write AWS CDK code to provision AWS resources in the aws_iam_sso directory.
Exploring the Project Structure
The project folder structure for our AWS IAM Identity Center automation is as follows:
|
1 2 3 4 5 6 7 8 9 10 11 |
iam-identity-center-cdk/ │ ├── aws_iam_sso/ │ ├── add_users_to_groups.py │ ├── aws_iam_sso_stack.py │ ├── iam_groups.py │ ├── app.py ├── group_users.yaml ├── groups.yaml ├── permission_sets.yaml |
- Code Explanation
Here’s a breakdown of the provided code, explaining the purpose and functionality of each script.
app.py –
This is the entry point for the AWS CDK application. It initializes the different stacks for managing AWS IAM groups, adding users to groups, and setting up the AWS IAM SSO configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 |
#!/usr/bin/env python3 import os import aws_cdk as cdk import yaml from aws_iam_sso.iam_groups import IamGroupsStack from aws_iam_sso.add_users_to_groups import AddUsersStack from aws_iam_sso.aws_iam_sso_stack import AwsIamSsoStack app = cdk.App() IamGroupsStack(app, "IamGroupsStack") AddUsersStack(app, "AwsIamAddUsers") AwsIamSsoStack(app, "AwsIamSsoStack") app.synth() |
This script imports the necessary modules and stacks from the other files (IamGroupsStack, AddUsersStack, AwsIamSsoStack) and invokes them to create the resources as per the YAML configuration files.
group_users.yaml –
This YAML file contains the mapping of AWS IAM groups to users. Each group has a list of associated users.
|
1 2 3 4 5 6 7 |
group_users: - name: Admins users: ["admin@example.com"] - name: Developers users: ["developer1@example.com"] - name: Monitoring users: ["monitoring-user@example.com"] |
In this example, the Admins group has one user, admin@example.com, and similarly, the Developers and Monitoring groups are populated with their respective users.
groups.yaml –
This YAML file defines AWS IAM groups, their names, and descriptions.
groups:
– name: Admins
description: This group is created for all the administrators with full access to cloud resources.
– name: Developers
description: This group provides access to development, dev-tool accounts, and UAT accounts for developers.
– name: Monitoring
description: This group provides read-only access, billing access, and full access to monitoring services like Amazon CloudWatch.
The Admins group has full access to all AWS resources, the Developers group has access to tools for developers, and the Monitoring group has read-only access.
permission_sets.yaml –
This YAML file defines permission sets for AWS SSO. It specifies which AWS accounts and groups the permission sets apply to, along with the managed policies assigned.
permission_sets:
– name: “Developers-PermissionSet”
description: “This permission set is associated with the Developers group, providing full access to relevant development tools and resources.”
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
accounts: ["Account-A", "Account-B", "Account-C"] groups: ["Developers"] managed_policies: - 'arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator' - 'arn:aws:iam::aws:policy/AmazonEC2FullAccess' - 'arn:aws:iam::aws:policy/AmazonRDSFullAccess' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess' - 'arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess' - 'arn:aws:iam::aws:policy/AWSCodeCommitFullAccess' - 'arn:aws:iam::aws:policy/AWSCodePipeline_FullAccess' - name: "AdministratorAccess-PermissionSet" description: "This permission set grants full administrator access to the DevTool account." accounts: ["Account-C"] groups: ["Admins"] managed_policies: - 'arn:aws:iam::aws:policy/AdministratorAccess' |
This file defines permission sets, such as Developers-PermissionSet, linked to specific AWS accounts and AWS IAM groups, with a list of associated managed policies.
iam_groups.py –
This file creates AWS IAM groups from the groups.yaml file using AWS Identity Store. The groups are provisioned with the given name and description.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
from aws_cdk import Stack, aws_identitystore as identitystore from constructs import Construct import yaml class IamGroupsStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) with open('groups.yaml', 'r') as groupsfile: yaml_groups = yaml.safe_load(groupsfile) for i in range(len(yaml_groups['groups'])): group_name = yaml_groups['groups'][i]['name'] group_desc = yaml_groups['groups'][i]['description'] cfn_group = identitystore.CfnGroup(self, "MyCfnGroup", display_name=group_name, identity_store_id="d-xxxxxxxxx", description=group_desc ) |
This stack reads groups.yaml, creates AWS IAM groups in AWS Identity Store, and associates them with descriptions.
aws_iam_sso_stack.py –
This file provisions AWS SSO permission sets and assigns them to users and groups across different AWS accounts.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
from aws_cdk import Stack, aws_identitystore as identitystore, aws_sso as sso from constructs import Construct import datetime class AwsIamSsoStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) account_list = { 'Account-A': '123456789012', 'Account-B': '098765432112', 'Account-C': '567890123456' } permission_sets = [ { 'name': 'Developers', 'description': 'This permission set is associated with the Developers group providing access to resources.', 'session_duration': 8, 'accounts': ['Account-A', 'Account-B', 'Account-C'], 'groups': ['Developers'], 'managed_policies': [ 'arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator', 'arn:aws:iam::aws:policy/AmazonEC2FullAccess' ], } ] for permission_set in permission_sets: permission_set_resource = sso.CfnPermissionSet(self, f'{permission_set["name"]}_Set', name=permission_set['name'], description=permission_set['description'], session_duration=datetime.timedelta(hours=permission_set['session_duration']).isoformat(), managed_policies=permission_set['managed_policies'], ) for acc in permission_set['accounts']: acc_num = account_list[acc] for group in permission_set['groups']: sso.CfnAssignment(self, f'{permission_set["name"]}_{acc_num}_{group}_Assignment', instance_arn="arn:aws:sso:::instance/ssoins-xxxxxx", permission_set_arn=permission_set_resource.attr_permission_set_arn, principal_id="group_id", # This would need the actual group ID from the Identity Store principal_type='GROUP', target_id=acc_num, target_type='AWS_ACCOUNT', ) |
This stack creates permission sets and assigns them to users/groups for each AWS account.
add_users_to_groups.py –
This file adds users to their respective AWS IAM groups based on the group_users.yaml configuration.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
from aws_cdk import Stack, aws_identitystore as identitystore import boto3 from constructs import Construct import yaml client = boto3.client('identitystore') class AddUsersStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) with open('group_users.yaml', 'r') as usersfile: yaml_users = yaml.safe_load(usersfile) for i in range(len(yaml_users['group_users'])): groupname = yaml_users['group_users'][i]['name'] users_list = yaml_users['group_users'][i]['users'] for user in range(len(users_list)): identitystore.CfnGroupMembership(self, "MyCfnGroupMembership", group_id=groupname, identity_store_id="d-xxxxxxxxxx", member_id=identitystore.CfnGroupMembership.MemberIdProperty( user_id=users_list[user] ) ) |
This stack takes the user-to-group mapping from group_users.yaml and creates group memberships in the AWS Identity Store.
- Deploying the Stack
Once your code is ready, you can deploy it using the following commands:
|
1 2 |
cdk synth cdk deploy |
- GitHub Repository
You can refer to this code on GitHub, a reference for anyone looking to automate AWS IAM Identity Center configurations using AWS CDK.
- GitHub Repository Link: AWS IAM Identity Center Automation
Conclusion
Drop a query if you have any questions regarding AWS IAM Identity Center and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS and many more.
FAQs
1. What is the AWS CDK, and why should I use it to automate the AWS IAM Identity Center?
ANS: – The AWS Cloud Development Kit (CDK) is an open-source framework that allows you to model and provision AWS cloud resources using familiar programming languages like Python. By using CDK for AWS IAM Identity Center automation, you can efficiently manage AWS IAM groups, users, and permissions across multiple AWS accounts, making the process scalable and repeatable.
2. How do I deploy the AWS IAM Identity Center automation stack?
ANS: – After preparing your code, run the following commands:
- cdk synth to synthesize CloudFormation templates.
- cdk deploy to deploy the stack to your AWS account.
WRITTEN BY Pranav Borude
PREV
Comments