A small script to migrate or synchronize users & groups from Okta to AWS SSO

Overview

aws-sso-sync-okta

A small script to migrate or synchronize users & groups from Okta to AWS SSO

Foo Foo Foo

Changelog Version
Remove hardcoded values on variables and enable arguments as group_name 0.5
Fixed search filtering in okta + enable dry run mode 0.6
Enable iterating over a list obtained via SSM Parameter Store) 0.7
Fix error iterating on check_aws_groups 0.8

Current version: 0.8

This script is intended to syncronize all or some selected users from Okta to AWS SSO based on a query filtering by group name on both APIs.

Workflow:

  1. Connect to AWS SSM to get access credentials for both APIs
  2. It asks to OKTA API for groups matching "okta_groups" variable (okta may show more than one match since the search is regexp based )
  3. Get all Group_Id's for the matching groups (if no groups matching exits)
  4. Then for each group found asks for all the users inside those groups
  5. Compare all the users (email) from Okta against AWS SSO and chekcks if the user exists or not in AWS SSO.
  6. If the user exists does nothing, if doesn't creates it.
  7. Then on a second phase asks AWS for groups matching "aws_groups" variable ( exact match )
  8. And search for every user in that groups
  9. If the user does not exists in that group creates it.

Configuration

  1. Get your AWS SSO Setup ready and collect the necessary values (SCIM URL's for users and groups) More info: https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html

  2. Create an API token to ask AWS API.

  3. Create an Okta API token

  4. Save those values into an SSM (Parameter Store) [okta_api_token and amz_sso_api_token]

  5. Put your SCIM URL's into the script

  6. Save and quit

Usage

sync-users.py <group_name>

Considerations

  • Okta API when searching for groups (https://developer.okta.com/docs/reference/api/groups/) as they mention in the documentation, currently performs a startsWith match but it should be considered an implementation detail and may change without notice in the future. To avoid more than one result I strongly sugget to use prefixes as a naming convention for the group names (I.e.: xx_groupname), but for now the script is being modified to do some checks and verify there's only one result. (It's a prevention measeure, of course it can be iterated on a loop if necessary)

Demo:

me@crashtestdummy[~]> sync-users.py xx_devops

>> Syncing users from Okta to AWS SSO
==========================================
>> Retrieving Group ID's from Okta.........
['xx_devops']
  00g1by6snswq40ERK417 - [ xx_devops ]
>> Getting users from retrieved group ID's .........
>> Got 2 users from Okta
>> Checking AWS SSO users list.....
>> User [ [email protected] ] 93671e0715-1525f435-9359-4c9b-a2fe-13209d15cff8 already exists...
>> User [ [email protected] ] 93671e0715-08b298da-4bce-4f2e-a7b2-18433607d07f already exists...
>> Searching Groups matching: [ xx_devops ]
>> Results found: 1
>> Group ID: 93671e0715-b65a0f2f-ds7d-402d-a05c-91441697f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-91441687f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-914416973fdc
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK

TODO/WIP

  • Iterate over a list of groups to sync multiple groups
  • Get the list of groups from SSM (Parameter Store) instead of passing an argument to the script

Troubleshooting

(WIP)

WARNING: Since this software is not tested enough I would strongly suggest to run it carefully by syncing the groups from OKTA to AWS SSO one by one!! this was you only can screw up one group at time :)

Since the access credentials are stored in Parameter Store (AWS SSM),be sure to launch this script being authenticatd via CLI against the Root Account or where you're configuring the AWS SSO and AWS SSM. Otherwise the script won't be able to find the access credentials for both API's.

You might also like...
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny Müller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

Project template for using aws-cdk, Chalice and React in concert, including RDS Postgresql and AWS Cognito

What is This? This repository is an opinonated project template for using aws-cdk, Chalice and React in concert. Where aws-cdk and Chalice are in Pyth

POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Python + AWS Lambda Hands OnPython + AWS Lambda Hands On
Python + AWS Lambda Hands OnPython + AWS Lambda Hands On

Python + AWS Lambda Hands On Python Criada em 1990, por Guido Van Rossum. "Bala de prata" (quase). Muito utilizado em: Automatizações - Selenium, Beau

AWS Blog post code for running feature-extraction on images using AWS Batch and Cloud Development Kit (CDK).

Batch processing with AWS Batch and CDK Welcome This repository demostrates provisioning the necessary infrastructure for running a job on AWS Batch u

Owner
Paul
Devops Engineer
Paul
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
Migrate BiliBili watched anime to Bangumi

说明 之前为了将B站看过的动画迁移到bangumi写的, 本来只是自己用, 但公开可能对其他人会有帮助. 仓库最近无法维护, 程序有很多缺点, 欢迎 PR 和 Contributors 使用说明 Python版本要求:Python 3.8+ 使用前安装依赖包: pip install -r requ

null 51 Sep 8, 2022
Discord bot code to stop users that are scamming with fake messages of free discord nitro on servers in order to steal users accounts.

AntiScam Discord bot code to stop users that are scamming with fake messages of free discord nitro on servers in order to steal users accounts. How to

H3cJP 94 Dec 15, 2022
A Bot Telegram Anti Users Channel to automatic ban users who using channel to send message in group.

Tg_Anti_UsersChannel A Bot Telegram Anti Users Channel to automatic ban users who using channel to send message in group. Features: Automatic ban Whit

idzeroid 6 Dec 26, 2021
This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

This is a simple program that uses Python and pyTwitchAPI to retrieve the list of users in a streamer's chat and then checks each one of these users to see if they follow the broadcaster or not

RwinShow 57 Dec 18, 2022
SimpleTelegramScraper - A python script scrapes accounts from public groups via Telegram API and saves them in a CSV file

SimpleTelegramScraper - the best scraper on GitHub This simple python script scr

Deniz Shabani 12 Oct 6, 2022
Create a Neo4J graph of users and roles trust policies within an AWS Organization.

AWS_ORG_MAPPER This tool uses sso-oidc to authenticate to the AWS organization. Once authenticated the tool will attempt to enumerate all users and ro

Ruse 24 Jul 28, 2022