Can i configure to ignore control tower groups? #543
Replies: 1 comment
-
|
Hi @HansDonkersloot , I designed this tool to treat Google Workspace Directory (GWD) as the absolute single source of truth for all entities (Users, Groups, and Members) to ensure strict security and consistency. Because of this architecture, yes, the sync will typically attempt to remove any groups in AWS that do not exist in GWD, as having multiple sources of truth can cause conflicting overrides and security risks. For your specific use case with AWS Control Tower, I highly recommend checking out the official AWS integration guide: https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html. It is better suited for handling Control Tower's native groups alongside Google Workspace simultaneously. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello,
Coming here from trying to integrate SSO Sync into our AWS. The big blocker is that we use Control Tower, and control tower has custom groups and users that it has created. We want to ignore these groups for the sync, but I'm not clear from the docs whether filtering google groups will only sync those particular groups.
e.g.
in AWS => AWSControlTowerAdmins, Developers
in google => Developers
If I use
--gws-groups-filter 'name:Developers'Will it delete the
AWSControlTowerAdminsgroup on it's first run?Beta Was this translation helpful? Give feedback.
All reactions