Is there a way to provision aws sso users via cloudformation/cdk?

Question

Looking at this guide: https://aws.amazon.com/blogs/security/use-new-account-assignment-apis-for-aws-sso-to-automate-multi-account-access/

It only shows how to assign permission sets to already existing users. Also looking at the cloudformation documentation, it does not mention anything about users.

Is there a way to create aws sso users via cloudformation or cdk?

Answer 1

Just posted an example project in CDK Python adapted from a recent client project, here: https://github.com/matwerber1/aws-cdk-sso-user-management

The project contains a custom CDK resource backed by Lambda that uses the IAM identitystore create_user, update_user, and delete_user APIs to manage SSO users, as well as wrappers around the L1 constructs like CfnGroup, CfnGroupMembership, and so on to make it easier to add users in bulk to a group, or assign groups+permission sets to accounts.

If you use Typescript, it could be converted pretty easily, I think.

Feedback and PRs welcome, as I'm sure there's room for improvement.

Example usage below:

class SsoStack(Stack):
    def __init__(self, scope: Construct, construct_id: str, **kwargs: Any) -> None:
        super().__init__(scope, construct_id, **kwargs)

        user_foo = SsoUser(
            self,
            user_attributes=SsoUserAttributes(
                email="someuser1@",
                username="username",
                first_name="Foo",
                last_name="Foo",
            ),
        )
        user_bar = SsoUser(
            self,
            user_attributes=SsoUserAttributes(
                email="someuser2@",
                username="username2",
                first_name="Bar",
                last_name="Bar",
            ),
        )

        all_users = [user_foo, user_bar]

        # Reference existing perission sets
        SsoPermissionSet.from_existing_permission_set(
            self,
            permission_set_name="AWSOrganizationsFullAccess",
            permission_set_arn=f"{SsoConfig.instance_arn.value}/ps-xxxxxxxxxxxxxx",
        )

        # Create new permission sets
        demo_permission_set = SsoPermissionSet(
            self,
            name="DemoPermissionSet",
            description="demo permission set",
            inline_policy=iam.PolicyDocument(
                statements=[
                    iam.PolicyStatement(
                        effect=iam.Effect.ALLOW,
                        actions=["s3:ListAllMyBuckets"],
                        resources=["*"],
                    )
                ]
            ).to_string()
        )

        # Create new groups
        demo_group = SsoGroup(
            self,
            group_name="Demo User Group",
            description="Admin and read-only role to sandbox account",
        )

        # add user(s) to a group
        demo_group.add_users(all_users)

        # add permission set to a group for a given account
        demo_permission_set.grant_to_group_for_account(demo_group, AwsAccounts.SANDBOX.value)

Answer 2

If you are looking for Infrastructure as Code you can use Terraform and Boto3 to create SSO users.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/identitystore_user

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html#client

Answer 3

Sadly this is not yet supported. AWS docs say that in future such support should be added, at least to AWS API, which then you could use from custom resources in CloudFormation:

Future updates to AWS SSO Identity Store APIs, including additions for creation and modification of users and groups, will be documented in this reference as they are released.