Unkey
ContributingCompanyArchitectureInfrastructureRFCsDesignGitHub
AWS

User and Group management

How to manage users and groups in AWS IAM Identity Center

SCIM Limitations

SCIM, which automagically provisions users, does only that. It does not handle synchronization of groups or group membership.

Current Solution

There's a tool from the AWS Labs GitHub organization called ssosync that typically handles synchronization from Google Workspace to IAM Identity Center. However, it currently has limitations:

  • The secure way to handle service accounts in GCP is using Workload Identity Federation, which, as of this writing, is unsupported
  • The ssosync app expects specific user credentials hard-coded from a file
  • There are a couple of PRs on that repo to implement it, but progress seems to have stalled since the end of last year

To facilitate mapping Workspace users to IAM Identity Center users, we provide a script in unkeyed/infra/contrib.

Usage

Basic Usage

AWS_PROFILE=unkey-root-admin \
AWS_REGION=us-east-1 \
bash unkeyed/infra/contrib/add-aws-user-to-aws-group.sh [username]

Where [username] is the @unkey.com user you're adding (e.g., john.doe@unkey.com)

Adding to a Specific Group

AWS_PROFILE=unkey-root-admin \
AWS_REGION=us-east-1 \
bash unkeyed/infra/contrib/add-aws-user-to-aws-group.sh john.doe@unkey.com aws-administrators

Available groups:

  • aws-administrators: Full administrative access
  • aws-users: Non-administrative access

Previous

Google as an Identity Provider for AWS

On this page