AWS SSO: Add support for user and group creation #25
Comments
|
Thanks for the feature request. This would be a new service feature, and I'll pass this on to the SSO team. |
|
Hi @andrejmaya, since this is a feature request for the service team, I'm going to transfer this issue to our centralized AWS SDK repository aws/aws-sdk. An implementation of this feature may be of interest to those of other SDKs as well. |
|
V276091312 |
|
Any updates on this? |
|
This would be a good feature to have, currently i can automate account creation, assigning root user to SSO, etc but manual creation/assigning of users is preventing a fully automated solution being rolled out across my company |
|
We would also like to fully automate the account creation. Please give this some priority. |
|
We also require a feature for SSO user creation trough CLI, any estimation for availability? |
|
Hi all, I requested a status update from the service team and will update when I hear back. |
|
I've raised this feature request with our TAM (wasn't aware of this issue thread beforehand). Our IdP groupings are not as granular as those needed for our AWS organisations. We'd like to create our own automation around creating SSO Users and managing the SSO Groups that they belong to, and the Permission Sets associated with those groups. Any sort of update or indicative timeline would be very much appreciated, to help us plan a way forward. |
|
I've also raised this feature request with our TAM. I hope it will be coming soon. |
|
we created a manual Groups lists in TF, as a patch but it really required. |
|
I have actually another use case, i want to be able to delete a group via SDK so i can easily revoke access for the whole group. |
|
Any update on this ? |
|
Any updates? :) |
|
@kdaily are you planning to do it at all? this one is the only thing missing from our auto CT acc creation, would be awesome to have this feature |
|
@kdaily - do you have any updates to share after checking in with the SSO team? |
|
Hi all, this is the latest update I have from the SSO team, dated from last week:
|
|
This feature is really needed, @kdaily - is there any way to influence the roadmap and increase the 'severity' of this issue, so it's faster than 4-12 months? |
|
It is pretty ridiculous, especially considering that you can do it in the console today... so the API methods probably already exist privately! |
|
We decided to use the API / SCIM API and Ansible for provisioning our users and groups in the meantime. Works pretty nicely. Source Code: |
|
@al-lac but that only works if you use external IdP, is that right? This issue is about using built in identity store. |
|
@mtb-xt yeah you are right. We are also using external IdP for that solution. |
kdaily
changed the title
|
Hi @mtb-xt, Thanks for your post. Unfortunately that's not within my powers! I will continue to relay the feedback received here, and provide an update when I hear further. As of today, I don't have any further updates on when this feature would be released. Thanks for your patience. |
|
@mtb-xt @al-lac Actually, those Ansible scripts will work just fine with AWS SSO directly, so long as you enable auto-provisioning of users. Once you do that, you will be given an SCIM URL and a token -- that's what you feed to the Ansible script. I've tested it out and it does just what I want, and I believe it would be trivial to add the functionality to your own custom scripts and even Terraform as a custom provider. Do note, though, that once you enable SCIM auto provisioning, you cannot add/remove/edit users within the AWS Console anymore! You will have to do it all through the SCIM endpoint. Also note that enabling this does not mean your external provider, if you're using one, will automatically be able to provision users for you; to do that, you would need to set up that SCIM URL and token. We actually did not want our external provider to be able to auto-provision users, so this works out well for us in that we can provision through a script instead. |
|
@StackRef but how can we enable SCIM auto provisioning for AWS SSO? I thought this setting is only available when you have external IdP enabled. |
|
very much needed feature! |
|
@mtb-xt for this to work, you would still need to switch to an external IdP but you will be using ansible to call SCIM API for provisioning |
|
Another voice for saying this is a very much needed feature, please |
|
Hi all, thanks for your patience. I reached out to the SSO team for an update and they responded:
|
|
The IdentityStore service models were updated in the last 24 hours. As referenced in the documentation there is now a |
|
This issue is now closed. Comments on closed issues are hard for our team to see. |
|
Awesome @tim-finnigan! Awaiting its addition to v2 of the CLI next 😆 |
and others
Is your feature request related to a problem? Please describe.
Currently it's not possible to create users/groups with the
sso-adminservice.Describe the solution you'd like
It would be great to have commands for the creation of SSO users and groups covered by the AWS CLI
Describe alternatives you've considered
Current alternative is to create both manually in the web console
The text was updated successfully, but these errors were encountered: