{"id":34539603,"url":"https://github.com/hops-ops/configuration-aws-identity-center","last_synced_at":"2025-12-27T07:55:26.266Z","repository":{"id":328860427,"uuid":"1098685708","full_name":"hops-ops/configuration-aws-identity-center","owner":"hops-ops","description":"Crossplane Configuration for AWS Identity Center","archived":false,"fork":false,"pushed_at":"2025-12-16T01:09:28.000Z","size":56,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-19T04:08:12.410Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Makefile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hops-ops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-11-18T02:31:52.000Z","updated_at":"2025-12-16T01:09:32.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hops-ops/configuration-aws-identity-center","commit_stats":null,"previous_names":["hops-ops/configuration-aws-identity-center"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/hops-ops/configuration-aws-identity-center","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fconfiguration-aws-identity-center","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fconfiguration-aws-identity-center/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fconfiguration-aws-identity-center/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fconfiguration-aws-identity-center/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hops-ops","download_url":"https://codeload.github.com/hops-ops/configuration-aws-identity-center/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Fconfiguration-aws-identity-center/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":27996103,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-24T02:00:07.193Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-24T06:14:43.687Z","updated_at":"2025-12-24T06:14:43.742Z","avatar_url":"https://github.com/hops-ops.png","language":"Makefile","funding_links":[],"categories":[],"sub_categories":[],"readme":"# configuration-aws-identity-center\n\nManage AWS IAM Identity Center (SSO) as code. Define groups, users, permission sets, and account assignments in a single resource.\n\n## Why Identity Center?\n\n**Without Identity Center:**\n- IAM users with long-lived access keys\n- Separate credentials per account\n- No central audit of who accessed what\n- Password management nightmare\n\n**With Identity Center:**\n- Single sign-on across all AWS accounts\n- Time-limited credentials (no access keys)\n- Federate with Google, Okta, Azure AD\n- Central audit trail in CloudTrail\n- One place to revoke access\n\n## Prerequisites\n\nIdentity Center must be enabled manually in AWS (one-time setup):\n\n1. Go to [IAM Identity Center console](https://console.aws.amazon.com/singlesignon)\n2. Click **Enable** and choose **Enable with AWS Organizations**\n3. Note the **Instance ARN** and **Identity Store ID** from Settings\n\n## The Journey\n\n### Stage 1: Basic SSO Setup\n\nStart with a single admin group and permission set.\n\n**Why groups over direct user assignments?**\n- Easier to manage as team grows\n- Add/remove users without touching permission sets\n- Audit who has access via group membership\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: IdentityCenter\nmetadata:\n  name: my-sso\n  namespace: default\nspec:\n  managementPolicies: [\"*\"]\n  providerConfigName: default\n  region: us-east-1  # Must match where you enabled Identity Center\n\n  # From AWS console: IAM Identity Center \u003e Settings\n  identityStoreId: d-1234567890\n  identityCenter:\n    instanceArn: arn:aws:sso:::instance/ssoins-abcdef0123456789\n    sessionDuration: PT4H  # 4-hour sessions\n\n  groups:\n    - name: Administrators\n      description: Full administrative access\n\n  permissionSets:\n    - name: AdministratorAccess\n      description: Full admin access\n      managedPolicies:\n        - arn:aws:iam::aws:policy/AdministratorAccess\n      assignToGroups: [Administrators]\n      assignToAccounts: [\"123456789012\"]  # Your account ID\n```\n\n### Stage 2: Add Users\n\nCreate local users in Identity Store. They'll receive email invitations to set up passwords.\n\n**Why local users?**\n- Quick to get started\n- No external IdP setup required\n- Can migrate to federated later\n\n```yaml\nusers:\n  - username: admin\n    email: admin@acme.example.com\n    firstName: Admin\n    lastName: User\n    groups: [Administrators]\n\n  - username: alice\n    email: alice@acme.example.com\n    firstName: Alice\n    lastName: Engineer\n    groups: [Developers]\n```\n\n### Stage 3: Role-Based Access\n\nDifferent teams need different access levels. Create groups and permission sets for each role.\n\n**Recommended structure:**\n- **Administrators** - Full access, short sessions\n- **Developers** - PowerUser without IAM, longer sessions\n- **ReadOnly** - View-only for auditors and support\n- **SecurityAudit** - Security team cross-account access\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: IdentityCenter\nmetadata:\n  name: acme-sso\n  namespace: default\nspec:\n  managementPolicies: [\"*\"]\n  providerConfigName: default\n  region: us-east-1\n  identityStoreId: d-1234567890\n  identityCenter:\n    instanceArn: arn:aws:sso:::instance/ssoins-abcdef0123456789\n\n  groups:\n    - name: Administrators\n      description: Platform team - full access\n    - name: Developers\n      description: Engineering - deploy and debug\n    - name: ReadOnly\n      description: Support and auditors\n    - name: SecurityTeam\n      description: Security engineers\n\n  users:\n    - username: platform-admin\n      email: platform@acme.example.com\n      firstName: Platform\n      lastName: Admin\n      groups: [Administrators]\n\n    - username: alice\n      email: alice@acme.example.com\n      firstName: Alice\n      lastName: Engineer\n      groups: [Developers]\n\n    - username: bob\n      email: bob@acme.example.com\n      firstName: Bob\n      lastName: Support\n      groups: [ReadOnly]\n\n  permissionSets:\n    - name: AdministratorAccess\n      description: Full admin - use sparingly\n      sessionDuration: PT2H  # Short sessions for safety\n      managedPolicies:\n        - arn:aws:iam::aws:policy/AdministratorAccess\n      assignToGroups: [Administrators]\n      assignToAccounts: [\"111111111111\", \"222222222222\"]\n\n    - name: DeveloperAccess\n      description: Deploy and debug without IAM\n      sessionDuration: PT8H  # Longer for productivity\n      managedPolicies:\n        - arn:aws:iam::aws:policy/PowerUserAccess\n      assignToGroups: [Developers]\n      assignToAccounts: [\"222222222222\"]  # Dev account only\n\n    - name: ViewOnlyAccess\n      description: Read-only for support\n      sessionDuration: PT1H\n      managedPolicies:\n        - arn:aws:iam::aws:policy/ViewOnlyAccess\n      assignToGroups: [ReadOnly]\n      assignToAccounts: [\"111111111111\", \"222222222222\"]\n\n    - name: SecurityAudit\n      description: Security team audit access\n      managedPolicies:\n        - arn:aws:iam::aws:policy/SecurityAudit\n      assignToGroups: [SecurityTeam]\n      assignToAccounts: [\"111111111111\", \"222222222222\"]\n```\n\n### Stage 4: Custom Policies\n\nNeed more granular control? Use inline policies or customer-managed policies.\n\n**When to use each:**\n- **Managed policies** - AWS-provided, broad permissions\n- **Inline policies** - Custom restrictions, deny statements\n- **Customer-managed** - Reusable custom policies in IAM\n\n```yaml\npermissionSets:\n  - name: RestrictedDeveloper\n    description: Developer with guardrails\n    sessionDuration: PT8H\n    managedPolicies:\n      - arn:aws:iam::aws:policy/PowerUserAccess\n    # Add restrictions via inline policy\n    inlinePolicy: |\n      {\n        \"Version\": \"2012-10-17\",\n        \"Statement\": [\n          {\n            \"Effect\": \"Deny\",\n            \"Action\": [\n              \"iam:*\",\n              \"organizations:*\",\n              \"aws-portal:*\"\n            ],\n            \"Resource\": \"*\"\n          },\n          {\n            \"Effect\": \"Deny\",\n            \"Action\": \"ec2:*\",\n            \"Resource\": \"*\",\n            \"Condition\": {\n              \"StringNotEquals\": {\n                \"ec2:Region\": [\"us-east-1\", \"us-west-2\"]\n              }\n            }\n          }\n        ]\n      }\n    assignToGroups: [Developers]\n    assignToAccounts: [\"222222222222\"]\n```\n\n### Stage 5: Import Existing Resources\n\nAlready have Identity Center configured? Import existing groups, users, and permission sets.\n\n**Why import?**\n- Preserve existing configurations\n- No disruption to current access\n- Gradually bring under Crossplane management\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: IdentityCenter\nmetadata:\n  name: existing-sso\n  namespace: default\nspec:\n  managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n  providerConfigName: default\n  region: us-east-1\n  identityStoreId: d-1234567890\n  identityCenter:\n    instanceArn: arn:aws:sso:::instance/ssoins-abcdef0123456789\n\n  groups:\n    - name: Administrators\n      # Import existing group by ID\n      externalName: d1fb9590-0091-7072-55a4-dd0778f5d5cb\n      managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n\n  users:\n    - username: admin\n      email: admin@acme.example.com\n      firstName: Admin\n      lastName: User\n      # Import existing user\n      externalName: 217be550-1051-7016-a428-1864e5e57e75\n      managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n      groups: [Administrators]\n      # Import existing group membership\n      groupMembershipExternalNames:\n        Administrators: 115b85b0-f0c1-70ae-802f-41695fa2f655\n\n  permissionSets:\n    - name: AdministratorAccess\n      # Format: PERMISSION_SET_ARN,INSTANCE_ARN\n      externalName: arn:aws:sso:::permissionSet/ssoins-abcdef/ps-12345678,arn:aws:sso:::instance/ssoins-abcdef\n      managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n      managedPolicies:\n        - arn:aws:iam::aws:policy/AdministratorAccess\n```\n\n## Accessing AWS\n\nAfter Identity Center is ready:\n\n1. Get the AWS Access Portal URL from IAM Identity Center \u003e Settings\n2. Users receive email invitations to set passwords\n3. Sign in at the portal URL\n4. Select an account and permission set\n5. Click \"Management console\" or get CLI credentials\n\n## Status\n\nIdentityCenter exposes IDs for debugging and downstream use:\n\n```yaml\nstatus:\n  identityCenter:\n    instanceArn: arn:aws:sso:::instance/ssoins-abcdef\n    ready: true\n  identityStore:\n    id: d-1234567890\n    groups:\n      - name: Administrators\n        id: d1fb9590-0091-7072-55a4-dd0778f5d5cb\n    users:\n      - name: admin\n        id: 217be550-1051-7016-a428-1864e5e57e75\n  permissionSets:\n    - name: AdministratorAccess\n      arn: arn:aws:sso:::permissionSet/ssoins-abcdef/ps-12345678\n```\n\n## Recommendations\n\n1. **Use groups, not direct user assignments** - Easier to manage at scale\n2. **Short sessions for admin access** - PT2H or less for AdministratorAccess\n3. **Longer sessions for daily work** - PT8H for developers improves productivity\n4. **Deny dangerous actions via inline policy** - Add guardrails to PowerUserAccess\n5. **Don't delete users from Identity Store** - Orphan them with managementPolicies instead\n6. **Federate when ready** - Start with local users, migrate to IdP later\n\n## Development\n\n```bash\nmake render              # Render default example\nmake test                # Run tests\nmake validate            # Validate compositions\nmake e2e                 # E2E tests\n```\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Fconfiguration-aws-identity-center","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhops-ops%2Fconfiguration-aws-identity-center","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Fconfiguration-aws-identity-center/lists"}