I'm looking for a way to automate SSO assignments for specific permission sets from my organization account to member accounts using Terraform. I manage everything through Terraform for account resources and want to create a module for the member accounts that can send over the necessary ad group information to trigger the SSO assignment in the org account. However, I need to prevent the execution role in the member accounts from having any create or delete permissions related to SSO since the assignments should only happen once.
I have two potential approaches in mind:
1) Set up a Lambda function in the org account and create a module in the member account that pushes the ad group details and account ID to the Lambda. The Lambda function would then handle the assignment creation. The downside here is I would need to expose an endpoint for the Lambda, which raises security concerns.
2) Use a role assumption from the member account to the org account, granting the ability to create an SSO assignment solely for the specified permission set. My concern with this is the security implications and complexity as we add more accounts that might need similar access.
Can anyone provide guidance on the best approach? I feel like I might be overcomplicating things and would love to hear thoughts on streamlining this process.
4 Answers
You might want to look into using SCIM to sync users from AD groups to Identity Center. You can still manage the permission sets and handle account assignments using Terraform. I'm a fan of keeping it all in one place.
Just a heads up, if your member accounts have strict security settings, you'll need to ensure any method you choose complies with those policies. It might take some tweaking!
Have you considered using AWS EventBridge to trigger the SSO assignments? It could simplify things and reduce your security exposure compared to the Lambda approach.
If your resources are managed with Terraform, why not handle IAM Identity Center assignments directly through your Terraform configuration? It could keep everything cleaner and simpler.
I prefer to stick with Terraform since our pipelines can automate everything, but I'll definitely check out the SCIM option!