awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
548 stars 434 forks source link

Possibility to create IAM Identity Center (IIC) users and groups, not just assignments? #533

Open stefan-matic opened 2 months ago

stefan-matic commented 2 months ago

Is your feature request related to a problem? Please describe. To my understanding, in order to create Identity Center assignments for users and group, the user/group must exist first? I don't see any way to create IIC users and groups through the LZA, or am I missing something?

Describe the feature you'd like Would it be possible to create and maintain the list of users and group within the identityCenter block?

Additional context iam-config.yaml:

identityCenter:
  name: cloud-foundation-sso
  delegatedAdminAccount: Audit
  identityCenterPermissionSets:
    - name: CustomPermissionSet-Admin
      policies:
        awsManaged:
          - AdministratorAccess
    - name: CustomPermissionSet-Test
      policies:
         awsManaged:
           - AdministratorAccess
      sessionDuration: 60
  identityCenterAssignments:
    - name: AdminAccess
      permissionSetName: CustomPermissionSet-Admin
      principals:
        - type: USER
          name: manually-created-user@example.com
        - type: GROUP
          name: Administrators
      deploymentTargets:
        organizationalUnits:
          - Root
    - name: TestAccess
      permissionSetName: CustomPermissionSet-Test
      principals:
        - type: USER
          name: non-existing-user@example.com
      deploymentTargets:
        accounts:
          - SharedServices

The first assignment creates the assignment for the user (because I manually created it in IIC) but not the group (not created manually) The second assignment creates no assignments (user not created manually)

bo1984 commented 2 months ago

Hi Stefan!

That is correct. For the LZA solution to add an account assignment for a User or Group, that entity must exist. You could either use the principal ID (for the user/group) or have LZA do the lookup (similar to your example) where it would then subsequently add the configured account assignments. We have a feature request for LZA to provision users and groups in Identity Center, which I have added this GitHub issue to that feature request for more traction and prioritization. I will keep this issue open in the meantime should you have any questions or concerns that need to be addressed.

stefan-matic commented 2 months ago

Thank you @bo1984 for the detailed explaination!