SSO Sync
Helping you populate AWS SSO directly with your Google Apps users
SSO Sync will run on any platform that Go can build for. It is available in the AWS Serverless Application Repository.
⚠️ there are breaking changes for versions>= 0.02
⚠️ >= 1.0.0-rc.5groups to do not get deleted in AWS SSO when deleted in the Google Directory, and groups are synced by their email address
🤔 we hope to support other providers in the future
Why?
As per the AWS SSO Homepage:
AWS Single Sign-On (SSO) makes it easy to centrally manage access to multiple AWS accounts and business applications and provide users with single sign-on access to all their assigned accounts and applications from one place.
Key part further down:
With AWS SSO, you can create and manage user identities in AWS SSO’s identity store, or easily connect to your existing identity source including Microsoft Active Directory and Azure Active Directory (Azure AD).
AWS SSO can use other Identity Providers as well... such as Google Apps for Domains. Although AWS SSO supports a subset of the SCIM protocol for populating users, it currently only has support for Azure AD.
This project provides a CLI tool to pull users and groups from Google and push them into AWS SSO.
ssosync deals with removing users as well. The heavily commented code provides you with the detail of
what it is going to do.
References
- SCIM Protocol RFC
- AWS SSO - Connect to Your External Identity Provider
- AWS SSO - Automatic Provisioning
Installation
You can go get github.com/awslabs/ssosync or grab a Release binary from the release page. The binary
can be used from your local computer, or you can deploy to AWS Lambda to run on a CloudWatch Event
for regular synchronization.
Configuration
You need a few items of configuration. One side from AWS, and the other from Google Cloud to allow for API access to each. You should have configured Google as your Identity Provider for AWS SSO already.
You will need the files produced by these steps for AWS Lambda deployment as well as locally running the ssosync tool.
First, you have to setup your API. In the project you want to use go to the Console and select API & Services > Enable APIs and Services. Search for Admin SDK and Enable the API.
You have to perform this tutorial to create a service account that you use to sync your users. Save the JSON file you create during the process and rename it to credentials.json.
you can also use the
--google-credentialsparameter to explicitly specify the file with the service credentials. Please, keep this file safe, or store it in the AWS Secrets Manager
In the domain-wide delegation for the Admin API, you have to specify the following scopes for the user.
https://www.googleapis.com/auth/admin.directory.group.readonly,https://www.googleapis.com/auth/admin.directory.group.member.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly
Back in the Console go to the Dashboard for the API & Services and select "Enable API and Services".
In the Search box type Admin and select the Admin SDK option. Click the Enable button.
You will have to specify the email address of an admin via --google-admin to assume this users role in the Directory.
AWS
Go to the AWS Single Sign-On console in the region you have set up AWS SSO and select
Settings. Click Enable automatic provisioning.
A pop up will appear with URL and the Access Token. The Access Token will only appear
at this stage. You want to copy both of these as a parameter to the ssosync command.
Or you specific these as environment variables.
SSOSYNC_SCIM_ACCESS_TOKEN=<YOUR_TOKEN>
SSOSYNC_SCIM_ENDPOINT=<YOUR_ENDPOINT>
Local Usage
Usage:
The default for ssosync is to run through the sync.
A command line tool to enable you to synchronise your Google
Apps (G-Suite) users to AWS Single Sign-on (AWS SSO)
Complete documentation is available at https://github.com/awslabs/ssosync
Usage:
ssosync [flags]
Flags:
-t, --access-token string SCIM Access Token
-d, --debug Enable verbose / debug logging
-e, --endpoint string SCIM Endpoint
-u, --google-admin string Google Admin Email
-c, --google-credentials string set the path to find credentials for Google (default "credentials.json")
-h, --help help for ssosync
--ignore-groups strings ignores these groups
--ignore-users strings ignores these users
--log-format string log format (default "text")
--log-level string log level (default "warn")
-v, --version version for ssosync
The output of the command when run without 'debug' turned on looks like this:
2020-05-26T12:08:14.083+0100 INFO cmd/root.go:43 Creating the Google and AWS Clients needed
2020-05-26T12:08:14.084+0100 INFO internal/sync.go:38 Start user sync
2020-05-26T12:08:14.979+0100 INFO internal/sync.go:73 Clean up AWS Users
2020-05-26T12:08:14.979+0100 INFO internal/sync.go:89 Start group sync
2020-05-26T12:08:15.578+0100 INFO internal/sync.go:135 Start group user sync {"group": "AWS Administrators"}
2020-05-26T12:08:15.703+0100 INFO internal/sync.go:172 Clean up AWS groups
2020-05-26T12:08:15.703+0100 INFO internal/sync.go:183 Done sync groups
You can ignore users to be synced by setting --ignore-users user1@example.com,user2@example.com or SSOSYNC_IGNORE_USERS=user1@example.com,user2@example.com. Groups are ignored by setting --ignore-groups group1@example.com,group1@example.com or SSOSYNC_IGNORE_GROUPS=group1@example.com,group1@example.com.
AWS Lambda Usage
NOTE: Using Lambda may incur costs in your AWS account. Please make sure you have checked the pricing for AWS Lambda and CloudWatch before continuing.
Running ssosync once means that any changes to your Google directory will not appear in AWS SSO. To sync. regularly, you can run ssosync via AWS Lambda.
SAM
You can use the AWS Serverless Application Model (SAM) to deploy this to your account.
Please, install the AWS SAM CLI and GoReleaser.
Specify an Amazon S3 Bucket for the upload with export S3_BUCKET=<YOUR_BUCKET>.
Execute make package in the console. Which will package and upload the function to the bucket. You can then use the packaged.yaml to configure and deploy the stack in AWS CloudFormation Console.