AWS SSO support?

[nxtof]

Hello,

Do you have any plans to support AWS SSO? e.g. to be able to map back a specific AWS SSO-managed role (AWSSSOReserved_AdminAccess_xxxx) to a list of users assigned with this role

Thanks!

[ncc-erik-steringer]

To answer your question, we currently don't have plans to add AWS SSO support. I think it would be reasonable to include in 1.2.0. I took a quick look at the work it would take, lemme know if you think it's a reasonable summary:

• Find a way to grab the user -> role mapping (would need to put in gathering.py and maybe guard it with a --with-sso flag/param)
• Find a way to stash the mapping data
• Add something in the query/argquery to let people query by SSO user (maybe something like sso/user_one for the principal component).

[michaeldavie-amzn]

Find a way to grab the user -> role mapping

I've been doing some work on this, and my current approach has been:

• organizations.list_accounts
• sso-admin.list_instances
• sso-admin.list_permission_sets
• For each permission set, sso-admin.list_accounts_for_provisioned_permission_sets
• For each permission set/account pair, sso-admin.list_account_assignments
• For each SSO GUID (user/group), identitystore.describe_user or identitystore.describe_group

Graph-wise, it would probably make sense to and the permission sets as nodes with edges to the corresponding roles in IAM.

Note that accessing SSO and the identity store will require additional permissions.