Automating IAM Identity Center Permission Sets and Assignments

Introduction

IAM Identity Center is an excellent, free tool for federating access across an organization. You should use it. In this post I’ll give an example to manage it with a CDK Pipeline. This pipeline will include steps to retrieve necessary information about your AWS environment, such as SSO instances, groups, and organization accounts so that none of that sensitive-ish information is stored in code. As an added benefit, the assignments are MUCH more readable and easy to audit.

Prerequisites

Before you begin, ensure you have the following:

1. AWS CLI: Installed and configured with appropriate permissions.
2. Node.js: Installed on your local machine.
3. AWS CDK: Installed globally using npm install -g aws-cdk.
4. AWS Account: With necessary permissions to create IAM roles, CodePipeline, and other resources.
5. AWS Organization with IAM Identity Center initialized: You can look at my other post here for info on setting that up with Azure Entra and why that’s a good idea.
6. A Group in AWS Organizations: Manually created or synced, doesn’t matter

Overview

All Code contained for this example can be found here: https://github.com/mbennettcanada/iam-identity-center.

When we’re done we’ll have a CDK app deployed that looks like this:

Here’s an overview of the repository structure:

├── tools 
│   ├── get-instance.sh
│   ├── get-groups.sh
│   └── get-accounts.sh
├── lib
│   ├── iam-idc.ts     
│   └── iam-identity-center-pipeline.ts
├── bin
│   └── cdk-app.ts
├── package.json
└── cdk.json

Shell Scripts

The tools directory contains shell scripts to retrieve necessary information:

• get-instance.sh: Retrieves the AWS SSO instance ARN.
• get-groups.sh: Retrieves all groups in IAM Identity Center.
• get-accounts.sh: Retrieves all accounts in the AWS organization.

CDK Stack Files

• iam-idc.ts: Defines the IAM Identity Center configuration, including permission sets and assignments.
• iam-identity-center-pipeline.ts: Defines the CodePipeline to automate the deployment.

Setting Up the Pipeline

Step 1: Clone the repository and change the origin to your own.

Clone the repository to your local machine:

git clone git@github.com:mbennettcanada/iam-identity-center.git
cd iam-identity-center-pipeline
git rm .git
git init
git remote add "origin" git@github.com:User/UserRepo.git //YOUR REPO HERE

At this point, you should delete the .git folder, `git init` again and add your own remote so you are pushing to your own repo

Step 2: Install Dependencies

Install the necessary dependencies:

npm install

Step 3: Run the Shell Scripts locally

The scripts generate 3 json files that are .gitignored, but necessary to bootstrap your pipeline. You can delete them after the first deploy, and the pipeline itself will generate them fresh every run. Make sure your creds and region are correct first.

sh tools/get-instance.sh
sh tools/get-groups.sh
sh tools/get-accounts.sh

Step 4: Make some code changes.

lib/iam-identity-center-pipeline.ts

In the iam-identity-center-pipeline.ts file, change the ‘CodePipelineSource.connection’ string to match your own codestar connection and repo name. If you haven’t done this before, there is an excellent tutorial here: https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create-github.html

/lib/iam-idc.ts

Code starting at line 15 is where we define the permission sets and assignments. The permission set defined is pretty boring admin. You can do a lot there if you want, but the real bits you need to change for our example here start on line 25 (at time of writing)

You’ll want to change the group.Name === bit to match your group you want to assign the admin permission set to, and the account.Name === bit to match the account you want to assign that group to.

        const adminGroup = groupsJsonData.find((group: { Id: string; Name: string }) => group.Name === 'Admin');
        const operationsAccount = accountsJsonData.find((account: {Id: string; Name: string}) => account.Name === 'Operations')
 
        new CfnAssignment(this, 'AdminGroupAssignment', {
            instanceArn: identityCenterInstanceArn,
            permissionSetArn: adminPermissionSet.attrPermissionSetArn,
            principalId: adminGroup.Id,
            principalType: 'GROUP',
            targetId: operationsAccount.Id, 
            targetType: 'AWS_ACCOUNT'
        });

Step 5: Push your code

git add -A
git commit -m "Initial Commit"
git push -u origin main

Step 6: Deploy the CDK Pipeline and watch the fireworks

Synth’ing first is always a good idea, then cdk deploy that thang.

cdk synth
cdk deploy

This command will create the CDK Pipeline with its needed roles, and after it’s created it will attempt to use the codestar connection to pull the code you pushed and deploy the permission sets and assignments you made. Go to the CodePipeline service in the AWS console, and watch your pipeline go.

Conclusion

In this blog post, we walked through setting up an AWS CodePipeline to automate the deployment of IAM Identity Center configurations using AWS CDK. By following these steps, you can streamline the management of IAM Identity Center in your AWS environment, ensuring consistent and automated deployments.

Best practice would be to lock down this repo so that main can’t be pushed to, and must be pr’d by people who know what should be going on.

Thanks for reading this far, honestly. Drop a comment or share if I should keep writing.