This tool syncs Users and Groups from Google Workspace to AWS SSO
AWS SCIM only returns 50 Users or Groups. This means:
- For Users: If you have more then 50 Users, the tool will still be able to remove users added through Google Workspace, but it probably won't be able to remove manually added users in AWS SSO.
- For Groups: If you have more then 50 Groups, the tool probably won't be able to remove groups after they were deleted in Google Workspace. The reason for this is that Google does not provide information about deleted groups. This also means, that group membership will not be removed, as it is not possible to fetch all groups for a User in AWS SCIM
To combat these limitations and to get the best performance, adhere to the following recommendations:
- Try to keep as few groups as possible (best is below 50) by using
google_api_query_for_groups
,ignore_groups_regexes
and/orinclude_groups_regexes
. - Try to keep as few users as possible (best is below 50) by using
google_api_query_for_users
,ignore_users_regexes
and/orinclude_users_regexes
. - Only sync users which are members of a group that is synced to AWS by using
the sync strategie
GroupMembersOnly
.
- Enable
Admin SDK API
in the Google Console
(At the top of the Dashboard, there is aEnable Apis and services
Button. Search forAdmin SDK API
and click enable) - Create a Google Service User
(Keep the credentials.json which is required at a later stage) - Setup Domain-Wide Delegation Scopes:
- Enable Provisining in the AWS SSO Console
(Keep Token and SCIM endpoint which are required at a later stage) - Create a Secret in AWS Secret Manager with the following content:
{
"endpoint": "<scim_endpoint>",
"access_token": "<token>"
}
- Create another Secret in AWS Secret Manager with the following content
{
"mail": "<mail of a google admin user>",
"credential_json": <credentials.json either as String or Object>
}
- Create a lambda with the binary from this repository using runtime
provided.al2
and anything as handler. (More Infos about paramters below) - Create a CloudWatch Event to trigger the lambda regularly
The lambda function requires a few parameters to correctly work. You can define them either with the Event that is send to the lambda, or via environment variables.
{
"security_hub_google_creds": {
"region": "<region_of_secret>",
"id": "<google_secret_name>"
},
"security_hub_scim_creds": {
"region": "<region_of_secret>",
"id": "<scim_secret_name>"
},
// Optional, remove if not required. Example: `email:aws-*`
// Query send via Google API to filter users
// More Infos at https://developers.google.com/admin-sdk/directory/v1/guides/search-users
"google_api_query_for_users": "",
// Optional, remove if not required. Example: `email:aws-*`
// Query send via Google API to filter groups
// More Infos at https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
"google_api_query_for_groups": "",
// Optional, remove if not required. Example: `aws-.*@domain.org`
// Ignores a user if one of the regexes matches. Matches on the primary_email
"ignore_users_regexes": [],
// Optional, remove if not required. Example: `aws-.*@domain.org`
// Includes a user if one of the regexes matches. Matches on the primary_email
"include_users_regexes": [],
// Optional, remove if not required. Example: `aws-.*@domain.org`
// Ignores a group if one of the regexes matches. Matches on the email
"ignore_groups_regexes": [],
// Optional, remove if not required. Example: `aws-.*@domain.org`
// Includes a group if one of the regexes matches. Matches on the email
"include_groups_regexes": [],
// Optional, remove if not required. AllUsers | GroupMembersOnly (default)
// Defines the sync strategie
"sync_strategie": [],
}
SH_GOOGLE_CREDS="{\"region\": \"<region_of_secret>\",\"id\": \"<google_secret_name>\"}"
SH_SCIM_CREDS="{\"region\": \"<region_of_secret>\",\"id\": \"<scim_secret_name>\"}"
# Optional, skip if not required. Example: `email:aws-*`
# Query send via Google API to filter users
# More Infos at https://developers.google.com/admin-sdk/directory/v1/guides/search-users
GOOGLE_API_QUERY_FOR_USERS=""
# Optional, skip if not required. Example: `email:aws-*`
# Query send via Google API to filter groups
# More Infos at https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
GOOGLE_API_QUERY_FOR_GROUPS=""
# Optional, skip if not required. Example: `aws-.*@domain.org`
# Ignores a user if one of the regexes matches. Matches on the primary_email
IGNORE_USERS_REGEXES=""
# Optional, skip if not required. Example: `aws-.*@domain.org`
# Includes a user if one of the regexes matches. Matches on the primary_email
INCLUDE_USERS_REGEXES=""
# Optional, skip if not required. Example: `aws-.*@domain.org`
# Ignores a group if one of the regexes matches. Matches on the email
IGNORE_GROUPS_REGEXES=""
# Optional, skip if not required. Example: `aws-.*@domain.org`
# Includes a group if one of the regexes matches. Matches on the email
INCLUDE_GROUPS_REGEXES=""
# Optional, skip if not required. AllUsers | GroupMembersOnly (default)
# Defines the sync strategie
SYNC_STRATEGIE=""
# Optional, skip if not required. off | error | warn | info (default) | debug | trace
# Defines the log level
LOG_LEVEL=""
License: MIT OR Apache-2.0