If you manage multiple AWS accounts and use Google Workspace as your identity provider (IdP), ensuring that users have the correct access can become complex. AWS IAM Identity Center (formerly AWS SSO) simplifies managing permissions across accounts, but manually maintaining users and group mappings can be tedious and you run into compliance issues as your orgranization continues to grow!
Enter ssosync – an open-source tool that syncs users and groups from Google Workspace to AWS IAM Identity Center.
In this guide, we’ll walk you through:
- Setting up AWS IAM Identity Center.
- Creating and configuring Google Groups to manage account access.
- Installing and configuring ssosync to sync users and groups.
- Automating the sync for continuous updates.
Why Use ssosync for Google Workspace?
ssosync is an open source application that was developed by the AWS Labs team which allows us to populate AWS Identity Center directly with Google Workspace users and groups.
The biggest issue, currently, is that AWS Identify Center only supports Microsoft Active Directory and Azure Active Directory (Azure AD).
So here we will use this script to allow us to take Google Groups that we have already created in our Google Workspace, and have it recreate those groups in AWS Identifty Center and to assign the users to those groups. This allows us to control access to AWS via membership to these groups.
Right now, for each AWS account, you can create the following groups:
- account-name-power-user
- account-name-read-only
- account-name-admin
So you end up with a similar group setup:
SSO - Google SAML App
There are several steps to getting our two services connected, and the first is Google Workspace!
We need to create a custom SAML app in the Google Workspace. The important information that is required here is:
- ACS URL: https://signin.aws.amazon.com/saml
- Entity ID: https://signin.aws.amazon.com/saml
- Name ID format: EMAIL
- Name ID: Basic Information > Primary email
We also configure the SAML attribute mapping, using the following Google Directory attributes: * Role : https://aws.amazon.com/SAML/Attributes/Role* * Basic Information > Primary email: https://aws.amazon.com/SAML/Attributes/RoleSessionName*
At the end, we now have our Google Workspace IdP details:
AWS Identity Center
Now we can five into AWS and our first step in Identity Center is to Confirm Your Identify Source:
We want to make sure we select the External identity provider
Now from our Google Workspace IdP details above, we can match the following information:
- IdP sign-in URL: This is the SSO URL from the Google Workspace IdP Details
- IdP issuer URL: This is the Entity ID from the Google Workspace IdP Details
Download the certificates from the SAML App you created in Google Workspace and upload them.
Note, do not enable auto-provisioning!
At this point we now have Identity Center ready to verify users with their Google accounts!
Review
We’ve setup the connection between our Google Workspace and our AWS Identity Center - I’ll follow up with utilizing the ssosync repo to create and maintain the groups and users in AWS.
