The following project automates IAM roles syncing process to Azure Active Directory, thus eliminating to manually update the Azure SSO app as the roles get added in any of the AWS accounts.
The solution is implemented using a single Lambda function running in the Organization's master account. The Lambda function performs following activities:
- Tries to assumes a specified role in each organization's account
- Retrieves IAM roles (using previously assumed role's credentials) to find ones that can be assumed by SAML provider
- Disables existing IAM roles in Azure SSO application
- Puts newly discovered IAM roles, while preserving local ids
The Lambda function requires following dependencies to be provisioned:
- Azure AWS SSO app with configured SAML-based sign-on
- IAM Provider created in each organization's account using SAML document generated in the prev. step
- IAM Role provisioned in each organization's account with
iam:ListRoles
policy (cloudformation provided for this)
Please follow the general integration steps described in this article up to step 15. in Configure Amazon Web Services (AWS) Single Sign-On section. At this stage, you should have Azure AWS SSO application with SAML-based sign-on and IAM Provider provisioned in AWS account(s)
In case you already have an IAM role with consistent naming provisioned in each account you can use it as long as it has
iam:ListRoles
permission.
Optionally, provision IAM Role in each child account using following cloudformation.
Alternatively, you can use AWS pre-provisioned OrganizationAccountAccessRole
role (FYI: AWS recommends to delete this role).
Rename .envrc.template
to .envrc
and provide following configuration values:
STACK_NAME
- Preferred stack name for provisioning AWS Lambda functionS3_BUCKET_NAME
- Existing S3 bucket in the master account, that you have r/w accessAWS_ASSUME_ROLE_NAME
- IAM role name that's going to be assued by Lambda function in each organization's accountAWS_SAML_PROVIDER_NAME
- IAM Provider name, that was previously provisioned in each organization's accountAZURE_OBJECT_ID
- Azure AWS SSO app's objectId, can be found on app's Properties page, see this screenshotAZURE_TENANT_ID
- Azure account tenantId, can be found using Azure Cloud Shell$ az account show
commandAZURE_USERNAME
- Active Directory user's login (must have enough permissions to update app)AZURE_PASSWORD
- Active Directory user's password
Load variables defined in .envrc
using direnv or by simply running $ source .envrc
$ make deploy