Generated IAM roles by SSO, have long and hard to remember names like: "AWSReservedSSO_DatabaseAdministrator_e90c045f34e6a0ad"
This project maps IAM role names created by SSO to simple names in AWS Parameter store.
IAM Role Name: "AWSReservedSSO_DatabaseAdministrator_e90c045f34e6a0ad"
Name stored in Parameter Store: "DatabaseAdministrator"
- AWS CLI (If you are using AWS SSO you need AWS CLI version 2)
- Configured AWS CLI credentials
- Java JDK 11 (or later)
- Configured GraalVM, see this guide
- Maven
- Docker
To build make sure you have Docker running.
- Clone this repository into a folder of choice
- Run
mvn clean package -Pnative
- Clone this repository into a folder of choice
- Create a bucket to store zipped code (
aws s3 mb s3://mybucket --region us-east-1) - Configure deploy settings in pom.xml, see Configuration
- Run
mvn deploy -Pnative
If you don't want to build the project your self, Attini provides a prebuilt SAM Application.
- Navigate the CloudFormation console in the N. Virginia (us-east-1) region.
- Create a new CloudFormation stack with using the template located at s3 url:
https://attini-artifacts-us-east-1.s3.amazonaws.com/aws-sso-role-names-mapper/latest-template.yaml.
- Navigate to the lambda created by the Cloudformation stack
- Click on Test
- Create a new test event for creating role using the payload located in src/test/resources/createRolePayload.json
- Run the Test to create parameter for test-role (notice, no such role is created in IAM)
- Make sure parameter was added by checking lambda response or Parameter Store
- Create a new test event for deleting role using the payload located in src/test/resources/deleteRolePayload.json
- Run the Test to delete parameter for test-role (again, no such role is deleted in IAM)
- Make sure parameter was deleted by checking lambda response or Parameter Store
- Navigate to the lambda created by the Cloudformation stack
- Click on Test
- Create a new test event with the payload:
{ "ExecutionType": "Sync" }
- Run the Test
If the test passed you can optionally set the TriggerOnSchedule event to trigger every minute and
then make sure the lambda is triggered.
In pom.xml, under the <properties> configure the following variables:
<stackName>Name of the Cloudformation stack<parameterStorePrefix>Prefix for parameter names in Parameter store. Example: "/your-organisation/role-name-mappings/"<schedule>Schedule for the event TriggerOnSchedule, see AWS documentation<s3Bucket>Bucket Name (don't include s3://). Example: "s3://{s3Bucket}/{s3BucketKey}"<s3BucketKey>Bucket object key. Example: "s3://{s3Bucket}/{s3BucketKey}"
If you no longer want to use the role mapper you can clean up your accounts with these steps:
- Trigger the DistributeSSORoles lambda with this event:
Warning
This will delete all the ssm parameters under the namespace prefix that you have configured.
{
"ExecutionType": "Cleanup"
}- Delete the sso role mapper CloudFormation stack.