Displaying a Tabular Form of AWS SSO Users, Groups, and Permission Sets per Account

Introduction

AWS Single Sign-On (SSO) provides a centralized identity management solution for accessing multiple AWS accounts and applications. As organizations grow, managing user access across various accounts and permission sets becomes challenging. To simplify this process, we can use a script to retrieve and display AWS SSO user, group, and permission set information in a tabular format. Let’s dive into the script and understand how it works.

Prerequisites

Before using the script, ensure that you have the following requirements met:

• AWS CLI: The AWS Command Line Interface (CLI) must be installed and configured with valid credentials.
• jq: A lightweight and flexible command-line JSON processor.

The Script

We provide a step-by-step explanation of the script used to fetch and organize the data. It covers commands such as retrieving SSO instance details, iterating over account IDs, and retrieving permission set assignments. The script also includes logic for handling user and group details, making it easy to understand and customize.

# Retrieve the ARN and identity store ID of the SSO instances
instance_arn=$(aws sso-admin list-instances | jq -r '.Instances[].InstanceArn')
instance_store_id=$(aws sso-admin list-instances | jq -r '.Instances[].IdentityStoreId')

# Define a list of account IDs to process
accounts_ids='''
008796491234
939078521234
'''

# Iterate over each account ID
for account_id in ${accounts_ids}; do

  # Remove any existing 'test' file and print the current account
  rm -f test
  echo "* Account ${account_id}"

  # Retrieve the permission sets provisioned to the account and store the assignments in the 'test' file
  for permission_set_arn in $(aws sso-admin list-permission-sets-provisioned-to-account \
    --instance-arn ${instance_arn} \
    --account-id ${account_id} | jq -r '.PermissionSets[]'); do
    aws sso-admin list-account-assignments \
      --instance-arn ${instance_arn} \
      --account-id ${account_id} \
      --permission-set-arn $permission_set_arn | jq -r '(.AccountAssignments[] | [.PermissionSetArn, .PrincipalType, .PrincipalId]) | @tsv' >>test
  done

  # Print the header for the user details
  echo UserName EmailId PermissionSetName GroupName

  # Read each line from the 'test' file
  while read line; do
    permission_set_arn=$(echo $line | cut -d' ' -f1)
    principal_type=$(echo $line | cut -d' ' -f2)
    principal_id=$(echo $line | cut -d' ' -f3)

    # Retrieve the name of the permission set
    permission_set_name=$(aws sso-admin describe-permission-set --instance-arn ${instance_arn} --permission-set-arn $permission_set_arn | jq -r '.PermissionSet.Name')

    # If the principal type is a group, retrieve its details
    if [[ $principal_type == "GROUP" ]]; then
      group_name=$(aws identitystore describe-group --identity-store-id ${instance_store_id} --group-id $principal_id | jq -r '.DisplayName')

      # Iterate over the user IDs in the group
      for userId in $(aws identitystore list-group-memberships --identity-store-id ${instance_store_id} --group-id $principal_id | jq -r '.GroupMemberships[].MemberId.UserId'); do

        # Retrieve user details and print them
        response=$(aws identitystore describe-user --identity-store-id ${instance_store_id} --user-id ${userId})
        user_id=$(echo $response | jq -r '.UserId')
        user_name=$(echo $response | jq -r '.UserName')
        display_name=$(echo $response | jq -r '.DisplayName')
        email=$(echo $response | jq -r '.Emails[].Value')
        echo $user_name $email $permission_set_name $group_name
      done
    fi

  done <test

  # Remove the 'test' file for the next iteration
  rm -f test
done

Explanation

We break down each command used in the script and provide clear examples to demonstrate their functionality. This helps readers grasp the purpose of each command and how it contributes to the final tabular view. Key commands covered include retrieving permission set names, handling groups and group members, and retrieving user details.

1. Retrieve the ARN and identity store ID of the SSO instances:

• This command retrieves the ARN (Amazon Resource Name) and identity store ID of the AWS SSO instances.
• Example:

instance_arn=$(aws sso-admin list-instances | jq -r '.Instances[].InstanceArn')
instance_store_id=$(aws sso-admin list-instances | jq -r '.Instances[].IdentityStoreId')

2. Define a list of account IDs to process:

• This step allows you to specify a list of AWS account IDs for which you want to retrieve user, group, and permission set information.
• Example:

accounts_ids='''
008796491234
939078521234
'''

3. Iterate over each account ID:

• This loop iterates over each account ID in the list you provided.
• Example:

for account_id in ${accounts_ids}; do
  # Code for processing each account
done

4. Remove any existing ‘test’ file and print the current account:

• This command removes any existing ‘test’ file from previous runs and prints the current account ID being processed.
• Example:

rm -f test
echo "* Account ${account_id}"

5. Retrieve the permission sets provisioned to the account and store the assignments in the ‘test’ file:

• This command retrieves the permission sets provisioned to the current account and stores the assignments in the ‘test’ file.
• Example:

for permission_set_arn in $(aws sso-admin list-permission-sets-provisioned-to-account \
  --instance-arn ${instance_arn} \
  --account-id ${account_id} | jq -r '.PermissionSets[]'); do
  aws sso-admin list-account-assignments \
    --instance-arn ${instance_arn} \
    --account-id ${account_id} \
    --permission-set-arn $permission_set_arn | jq -r '(.AccountAssignments[] | [.PermissionSetArn, .PrincipalType, .PrincipalId]) | @tsv' >>test
done

6. Print the header for the user details:

• This command prints the header for the user details table, including column names like UserName, EmailId, PermissionSetName, and GroupName.
• Example:

echo "UserName EmailId PermissionSetName GroupName"

7. Read each line from the ‘test’ file:

• This loop reads each line from the ‘test’ file, which contains permission set assignments for the current account.
• Example:

while read line; do
  # Code for processing each line/user/group/permission set
done <test

8. Retrieve the name of the permission set:

• This command retrieves the name of the permission set using the permission set ARN.
• Example:

permission_set_name=$(aws sso-admin describe-permission-set --instance-arn ${instance_arn} --permission-set-arn $permission_set_arn | jq -r '.PermissionSet.Name')

9. If the principal type is a group, retrieve its details:

• This condition checks if the principal type is a group and retrieves its details, including the group name.
• Example:

if [[ $principal_type == "GROUP" ]]; then
  group_name=$(aws identitystore describe-group --identity-store-id ${instance_store_id} --group-id $principal_id | jq -r '.DisplayName')
  # Code for processing group details
fi

10. Iterate over the user IDs in the group:

• This loop iterates over the user IDs in the group to retrieve user details.
• Example:

for userId in $(aws identitystore list-group-memberships --identity-store-id ${instance_store_id} --group-id $principal_id | jq -r '.GroupMemberships[].MemberId.UserId'); do
  # Code for processing each user in the group
done

11. Retrieve user details and print them:

• This command retrieves user details using the user ID and prints them, including the user name, email ID, permission set name, and group name.
• Example:

response=$(aws identitystore describe-user --identity-store-id ${instance_store_id} --user-id ${userId})
user_id=$(echo $response | jq -r '.UserId')
user_name=$(echo $response | jq -r '.UserName')
display_name=$(echo $response | jq -r '.DisplayName')
email=$(echo $response | jq -r '.Emails[].Value')
echo $user_name $email $permission_set_name $group_name

12. Remove the ‘test’ file for the next iteration:

• This command removes the ‘test’ file after processing each account, preparing it for the next iteration.
• Example:

rm -f test

This script helps retrieve and display a tabular form of AWS SSO users, groups, and permission sets per account. It utilizes the AWS CLI and the jq JSON processor to fetch and process the necessary information. By running this script, you can efficiently manage user access across multiple AWS accounts and permission sets.

Remember to have the prerequisites met, including having the AWS CLI and jq installed and configured with valid credentials, to ensure a smooth execution of the script.

Benefits

By using this script, AWS SSO administrators can gain a holistic view of user access across accounts and permission sets. The resulting tabular form makes it easy to identify user-permission set-group relationships, providing insights into user management and access control.

Conclusion

Managing user access in AWS SSO doesn’t have to be challenging. With the script provided in this blog post, administrators can simplify user management by retrieving and displaying user, group, and permission set details in a tabular format. This not only streamlines access control but also enables better visibility and understanding of user access relationships. The script can be customized to fit specific requirements and helps organizations efficiently manage AWS SSO user access.

Lets Connect via LinkedIn — https://linkedin.com/in/hari-kiran-vusirikala/

Hari Kiran Vusirikala — Full Stack Developer, Cloud Architect — Infosys | LinkedIn