Work around current capabilities of AWS SSO CloudFormation resources
AWS SSO's CloudFormation support currently only includes
AWS::SSO::Assignment, which means for every combination of principal (group or user), permission set, and target (AWS account), you need a separate CloudFormation resource. Additionally, AWS SSO does not support OUs as targets, so you need to specify every account separately.
Obviously, this gets verbose.
aws-sso-cfn-helper will generate the assignment combinations according to your specifications.
I am against client-side generation of CloudFormation templates, and look forward to discarding this tool once there are two prerequisites:
- OUs as targets for assignments
AWS::SSO::AssignmentSetresource that allows specifications of multiple principals, permission sets, and targets, and performs the combinatorics directly.
I recommend you install
pipx, which installs the tool in an isolated virtualenv while linking the script you need.
# with pipx pipx install aws-sso-cfn-helper # without pipx python -m pip install --user aws-sso-cfn-helper
All of the identifiers required below can be looked up using the included
aws-sso-lookup utility, documented below. On both utilities the credentials used can be controlled with the
AWS SSO instance id
You can provide the AWS SSO instance id directly using the
-i parameter, or you can omit it and
aws-sso-cfn-helper will query your account for the instance id. The instance id will be used to fill out permission set ARNs, if that information is missing.
You can specify principal ids using either or both of
Permission sets can be provided either as ARNs (which include the SSO instance id), as the ARN suffix (
$INSTANCE_ID/$PERMISSION_SET_ID) or simply as the permission set id, in which case the ARN will be constructed using the instance id as obtained above.
You can specify targets using either or both of
-a, respectively. Because AWS SSO does not support OUs as targets currently, specifying an OU will cause a lookup through the Organizations API to find all the accounts in that OU (and any child OUs). Note that this only happens once, so you would need to run this again after adding another account to the OU.
aws-sso-cfn-helper will produce a template file called
template.yaml. This can be changed with the
--template-file parameter. If your inputs cause more assignment resources to be generated than can be held in one template, multiple files will be generated, with numbers inserted before the file suffix (e.g.,
template02.yaml, etc.). You can adjust the number of resources per template (for example, if you plan to add additional resources to each template yourself) with
CloudFormation resources can reference other resources or template parameters. To enable this when generating a template, use the syntax
!Ref=ReferenceName, without spaces, for any of the inputs, and the generated resources will have the appropriate references (note that whatever they are referencing will not be present in the template, that is on you to add).
As all of this is in service of infrastructure as code, you may want to define the inputs as a file checked into source control. This file can be specified with the
--input-file parameter, and takes the form of an INI file with the following section headers (corresponding to the command line parameters):
You can use the same
!Ref=ReferenceName syntax in the file, though you can include spaces around the equals.
The AWS SSO APIs and CloudFormation resources require the use of identifiers that are not displayed in the console, and that the APIs do not make easy to look up by name.
aws-sso-lookup is provided to make this a little easier.
|AWS SSO instance||
|AWS SSO identity store||
For instance and identity store, it just prints out the id. For the others, it displays the instance/identity store id being used, and then a CSV with columns for the name and identifier. By default, any names not found will have
NOT_FOUND as their identifier, but with
-e it will exit with an error at the first name not found.
For group/user/permission set lookups, the instance/identity store will be automatically retrieved if you do not provide
--instance-arn (for permission sets) or
--instance-store-id (for groups and users).