Does SSOEx hit AWSOrganizations API regularly? about aws-iam-identity-center-extensions HOT 3 CLOSED

Hi @allquixotic,

The solution hits Organizations API in only this scenario: when you had a link created with a root or ou_id scope value. When such a link is created, the solution triggers a state machine to resolve the target accounts list and this is only triggered when the permission set and the principal (user/group) referred in the link exists. This operation is also triggered only once for provisioning the link payload.

SCIM operations being done would trigger the solution calling AWS Identity Store API to resolve the GUID's for the username/group display name i.e. they don't trigger the Organizations API.

With regards to the no of times the Organizations API is invoked by the solution, you could look in your orgmain account us-east-1 region and see the number of runs the step function env-processTargetAccountSM is run. This is the maximum no of times the solution may have hit the Organizations API. I say maximum, because this state machine is triggered for root, ou_id and account_tag scopes , however Organizations API is only called for root and ou_id scopes only.

Hope this helps clarify. Do let us know if you have any other questions

from aws-iam-identity-center-extensions.

Hi @allquixotic , following up on this - do you need any other info from our end around this question?

from aws-iam-identity-center-extensions.

Hi, I'm all good with the info you provided. Thanks a lot - very informative. Since this isn't an issue with SSOEx, I'll close the issue.

from aws-iam-identity-center-extensions.