• About Us
  • Contact Us

How to Use IAM Identity Center APIs to Audit and Manage Application Assignments

Do you know what importance the IAM Identity Center holds? If not, don’t worry! Stay with us, and we will guide you through everything regarding this. For starters, let us discuss what this center does. Consider the IAM Identity Center a literal center where all your workforce users are connected or created. The access of these connected users to various AWS applications and accounts is managed centrally by you.

AWS Managed Applications

For instance, you want to use any AWS application and want only specific users and groups to have permission to access that application. What would you do? The simplest solution here is to configure AWS-managed applications so you can work directly with the IAM Identity Center within your chosen application’s console. Previously, all the work was done manually by assigning users and groups to an application using the IAM Identity Center console. Following the latest trends, you can now use IAM Identity Center APIs to automate this task to enhance efficiency.

An account assignment API is used to automate the task of multi-account access and auditing access assigned to specific users. One can use this API using the permission sets of the IAM Identity Center. New and latest APIs offer much more than you can imagine. What if I say you can programmatically control the authority to assign applications to the users and related groups with these new APIs? Convenient. In addition to this, automated workflows can also easily be created for audit.

The AWS-managed applications don’t have to go anywhere else to access the information regarding users and groups. Their task has been made easier with the help of the IAM Identity Center. If you want to dive deep into AWS-managed applications, let’s take the example of Amazon Redshift. 

The workflow goes like this: you use the IAM Identity Center to configure Redshift as a managed application. Whenever any user tries to access the database, mapping memberships defined in the IAM Identity Center and Redshift database takes place, which helps grant specific permissions. This approach will remove the burden of manually setting database-object permissions for every user. 

IAM Identity Center and Amazon Redshift Integration

The assignment and removal tasks of all users and groups will be automated once you successfully integrate the IAM Identity Center and Amazon Redshift. For this, you will need to use two APIs.

  • Delete Application Assignment
  • Create Application Assignment

Prerequisites

In order to assign a group to Amazon Redshift and delete that group assignment as well, you will need to use Identity Center APIs by keeping in mind the following prerequisites.

  • Enable IAM Identity Center
  • For your identity data, use Identity Store
  • In case of external identity provider, the processes of user creation and deletion must be handled
  • You will need to provide an explicit assignment as soon as you make IAM Identity Center the identity source of Amazon Redshift. APIs or Identity Center console can make this explicit assignment task easier
  • Install the version 2 of AWS CLI and configure it accordingly as it will be helpful in calling Identity Center application assignment API

Steps

The below mentioned steps will lead you to a successful procedure.

STEP 1 – Acquire Identity Center’s Instance Information

aws sso-admin list-instances

After running this command you will have the Amazon Resource Name. Along with this the identity store ID of your current instance will also be shown to you.

You will get the output like this.

{

  "Instances": [

      {

          "InstanceArn": "YourAmazonResourceName",

          "IdentityStoreId": "YourInstanceStoreID",

          "OwnerAccountId": "YourAccountDetails",

          "Name": "YourInstanceName",

          "CreatedDate": "CreationDateOfYourInstance",

          "State": {

              "Name": "ACTIVE"

          },

          "Status": "ACTIVE"

      }

  ],

  "NextToken": <<TOKEN>>

}

On Console 

On AWS Console you can acquire Identity Center’s instance information by navigating to dashboard :

STEP 2 – Creating Group and User in Identity Store

  • For existing group

It might be possible that you already have a group created in your Identity Store. If this is so, you only need to know the group ID of the already formed group. You can do this by the following command.

aws identitystore get-group-id --identity-store-id “YourInstanceStoreID” –alternate-identifier “GroupName”
  • For creating a new user

If you are new and haven’t created any user yet then you can do so by utilizing the IdentityStoreId from the previous step.

aws identitystore create-user --identity-store-id “YourInstanceStoreID” --user-name "YourUserName" --emails Value="YourUserName@example.com",Type="Work",Primary=true —display-name "My User" —name FamilyName="User",GivenName="My"

This will be the relevant output.

{

             "UserId": "********-****-****-****-************", (In this format)

             "IdentityStoreId": "YourInstanceStoreID"

}
  • For creating a new group

If you don’t have any pre-existing groups made then you can create one for yourself.

aws identitystore create-group --identity-store-id “YourInstanceStoreID”  --display-name engineering

This will be the relevant output.

{

    "GroupId": "********-****-****-****-************", (In this format)

    "IdentityStoreId": "YourInstanceStoreID"

}
  • Adding user to the group

To add users to any specific group, run the below-mentioned command.

aws identitystore create-group-membership --identity-store-id “YourInstanceStoreID” --group-id ********-****-****-****-************ --member-id UserId=********-****-****-****-************

This will be the relevant output.

{

    "MembershipId":"********-****-****-****-************", (In this format)

    "IdentityStoreId": "YourInstanceStoreID"

}

On Console 

Navigate to either the users or groups and you can create the new one’s there and add the required information:

STEP 3 – Acquire Application’s ARN

In order to determine the ARN of your application, run the following command.

aws sso-admin list-applications --instance-arn "arn:aws:sso:::instance/ssoins-****************"

You may be using more than one application at a time. To deal with this situation, you need to use the filter flag. Select the application you want the information for, and you will be ready.

In case of a single application (Amazon Redshift in this case), the output should be something like this.

{

    "ApplicationArn": "arn:aws:sso:::instance/ssoins-****************/apl-***************",

    "ApplicationProviderArn": "arn:aws:sso::aws:applicationProvider/Redshift",

         "Name": "Amazon Redshift",

    "InstanceArn": "arn:aws:sso:::instance/ssoins-****************",

    "Status": "DISABLED",

         "PortalOptions": {

        "Visible": true,

        "Visibility": "ENABLED",

        "SignInOptions": {

            "Origin": "IDENTITY_CENTER"

         }

         },

    "AssignmentConfig": {

        "AssignmentRequired": true

         },

         "Description": "Amazon Redshift",

    "CreatedDate": "2023-10-09T10:48:44.496000-07:00"

}

On Console:

You can directly navigate to settings in IAM Console and copy identity store ID and arn  :

STEP 4 – Adding Group to the Application (Amazon Redshift)

At this stage, the Amazon Redshift application is being managed by IAM Identity Center so you can easily add a group to this application.

aws sso-admin create-application-assignment --application-arn "arn:aws:sso:::instance/ssoins-****************/apl-***************" --principal-id "********-****-****-****-************" --principal-type "GROUP"

Well, the good news is that your group has been added to the Redshift application but of course with default permissions. To grant further permissions, you will have to create roles. 

Creating roles in Amazon Redshift

To create roles in Amazon Redshift you have to connect to your cluster and run relevant SQL commands. There are two options to do this.

  • Use query editor version 2 to connect to Amazon Redshift
  • Use python tools, JDBC (Java Database Connectivity), or ODBC (Open Database Connectivity) to connect to Amazon Redshift

The public schemas of databases provide users with create and usage permissions by default. If you want to stop the users from creating a new object in the public schema, use the REVOKE command to do so. You can also create roles by running the following command.

CREATE ROLE <identitycenternamespace:rolename>;

You must specify the group name you created in the IAM Identity Center in the role name. After successfully integrating the Amazon Redshift and I AM Identity Center, you will be assigned an IdentityProviderNamespace.

STEP 5 – Removing Application Assignment

If you don’t want the group to have access to the Redshift application, then you can do so. But remember one thing: the group will remain a part of the IAM Identity Center.

Reviewing the application’s documentation after you add or remove any user or group is recommended. It is also essential to remove the corresponding roles from the Amazon Redshift application. To do this, use the DROP role command.

Auditing User and Group Access to Application

The latest API also helps you with auditing application assignments. ListApplicationAssignments is the new API using which you can see the currently assigned groups to the Amazon Redshift application.

aws sso-admin list-application-assignments --application-arn arn:aws:sso::****************:application/ssoins-****************/apl-**************** 

The relevant output will be shown to you.

{

    "ApplicationAssignments": [

         {

"ApplicationArn": "arn:aws:sso::****************:application/ssoins-****************/apl-****************",

        "PrincipalId": "********-****-****-****-************",

        "PrincipalType": "GROUP"

         }

         ]

}

But this is the output for a single application. If you have multiple applications running then create a script and run it periodically in AWS Lambda function. You can also refer to the documentation of this process out there.

Conclusion

In this informative article, you came across the process of using IAM Identity Center APIs to add and remove users and groups from the application. Moreover, you learned about the integration of Amazon Redshift with the IAM Identity Center. We hope you acquired sufficient knowledge about the automation of IAM Identity Center. Stay tuned with us to know more and get your cloud queries and troubles fixed with the help of SUDO Consultants!