IAM Identity Center - Users, Groups and Permission Sets

I was asked in the office the other day if I knew how to grab the Users, Groups and Permission sets from IAM Identity Center using a script.

The short answer was, “No”. However being me, I knew I had to find out.

TL;DR I wrote a quick dirty python script to acheive this. There is no shame in this, it gets the job done!

  import boto3

  # Setup the boto3 clients
  client = boto3.client('identitystore')
  sso = boto3.client('sso-admin')

  # Configure the variables 
  Id="d-976709dxxx" # IAM Identity Centre Directory ID
  SSOArn="arn:aws:sso:::instance/ssoins-8259e48121ee2xxx" # IAM Identity Centre ARN 

  # Get the IAM Identity Center Users
  print("Getting IAM Identity Center Users")
  user_response = client.list_users(
      IdentityStoreId=Id
  )
  for user in user_response['Users']:
      print(user)

  # Get the IAM Identity Center Groups
  print("Getting IAM Identity Center Groups")
  group_response = client.list_groups(
      IdentityStoreId=Id
  )
  for group in group_response['Groups']:
      print(group)

  # Get the IAM Identity Center Permissions Sets
  print("Getting permission sets")
  perm_sets_response = sso.list_permission_sets(
          InstanceArn=SSOArn
  )
  for perm_set_arn in perm_sets_response['PermissionSets']:
      response = sso.describe_permission_set(
          InstanceArn=SSOArn,
          PermissionSetArn=perm_set_arn
      )
      print('-',response['PermissionSet']['Name'])

What surprised me here, and maybe it shouldn’t, was the fact that Users and Groups are in a separate API call to the Permissions Sets, which are in the older SSOAdmin API.

Let’s break this down.

Firstly, grabbing the Users

  print("Getting IAM Identity Center Users")
  user_response = client.list_users(
      IdentityStoreId=Id
  )
  for user in user_response['Users']:
      print(user)

Then, grabbing the groups

  print("Getting IAM Identity Center Groups")
  group_response = client.list_groups(
      IdentityStoreId=Id
  )
  for group in group_response['Groups']:
      print(group)

And lastly, grabbing the permission sets.

  # Get the IAM Identity Center Permissions Sets
  print("Getting permission sets")
  perm_sets_response = sso.list_permission_sets(
          InstanceArn=SSOArn
  )
  for perm_set_arn in perm_sets_response['PermissionSets']:
      response = sso.describe_permission_set(
          InstanceArn=SSOArn,
          PermissionSetArn=perm_set_arn
      )
      print('-',response['PermissionSet']['Name'])

This is the part of this that comes from the SSO API.

A very simple, method to grab simple information that can be used in an automated way.

For more reading;

• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/identitystore.html
• https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sso-admin.html