A simple tool to get structured information about accounts and groups from the IAM Identity Center (successor to AWS Single Sign-On).
The IAM Identity Center (successor to AWS Single Sign-On) user interface in the browser console can be a hard and time-consuming to navigate. Especially if you want to the view the accounts attached to a group.
This tool doesn't do something you cannot do with the console or CLI. It just makes it easier to view it in one single overview.
To get an overview of the accounts attached to groups you have first retrieve various data and then parse the data. This is done as follows:
- Get all accounts in the organization
- Get the SSO permissions sets attached to those accounts
- List the account SSO assignments and filter the principalId with principalType
GROUP
- Describe the SSO groups and get the DisplayName
- Parse the data as seen below
Data structure can be chosen by using the groups
or accounts
command
Accounts attached to groups:
{
"GROUP_DISPLAY_NAME": [
{
"AccountName": "ACCOUNT_NAME",
"AccountId": "ACCOUNT_ID"
},
{
"AccountName": "ACCOUNT_NAME",
"AccountId": "ACCOUNT_ID"
}
]
}
Groups attached to accounts
{
"ACCOUNT_ID": {
"AccountName": "ACCOUNT_NAME",
"Groups": [
"GROUP_DISPLAY_NAME",
"GROUP_DISPLAY_NAME"
]
}
}
Required parameters:
--identityStoreId
- The globally unique identifier for the identity store.--instanceArn
- The ARN of the IAM Identity Center instance under which the operation will be executed.--region
- The AWS region.
Groups data structure
go run . groups --identityStoreId IDENTITY_STORE_ID --instanceArn INSTANCE_ARN --region AWS_REGION
Accounts data structure
go run . accounts --identityStoreId IDENTITY_STORE_ID --instanceArn INSTANCE_ARN --region AWS_REGION
The Tool uses the Go AWS SDK v2, and it detects AWS credentials set in your environment and uses them to sign requests to AWS.
The tool looks for credentials in the following environment variables:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
(optional)