vendor_fabric.aws.sso

AWS IAM Identity Center (SSO) operations.

This module provides operations for managing AWS SSO users, groups, permission sets, and account assignments through IAM Identity Center.

Module Contents

Classes

AWSSSOmixin

Mixin providing AWS SSO/Identity Center operations.

API

class vendor_fabric.aws.sso.AWSSSOmixin

Mixin providing AWS SSO/Identity Center operations.

This mixin requires the base AWSConnector class to provide:

  • get_aws_client()

  • logger

  • execution_role_arn

get_identity_store_id(execution_role_arn: str | None = None) extended_data.containers.ExtendedString

Get the IAM Identity Center identity store ID.

Args: execution_role_arn: ARN of role to assume for cross-account access.

Returns: The identity store ID.

Raises: RuntimeError: If no SSO instance found.

get_sso_instance_arn(execution_role_arn: str | None = None) extended_data.containers.ExtendedString

Get the IAM Identity Center instance ARN.

Args: execution_role_arn: ARN of role to assume for cross-account access.

Returns: The SSO instance ARN.

Raises: RuntimeError: If no SSO instance found.

list_sso_users(identity_store_id: str | None = None, unhump_users: bool = True, flatten_name: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

List all users from IAM Identity Center.

Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_users: Convert keys to snake_case. Defaults to True. flatten_name: Flatten Name sub-object into user dict. Defaults to True. sort_by_name: Sort users by UserName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping user IDs to user data.

get_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict | None

Get a specific SSO user by ID.

Args: user_id: The user ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: User dictionary or None if not found.

create_sso_user(user_name: str, display_name: str, given_name: str | None = None, family_name: str | None = None, emails: collections.abc.Sequence[collections.abc.Mapping[str, Any]] | None = None, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Create a user in IAM Identity Center.

Args: user_name: Unique username. display_name: Display name. given_name: First name. family_name: Last name. emails: List of email objects with Value, Type, Primary keys. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Created user response.

delete_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None

Delete a user from IAM Identity Center.

Args: user_id: The user ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

list_sso_groups(identity_store_id: str | None = None, unhump_groups: bool = True, expand_members: bool = False, users: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

List all groups from IAM Identity Center.

Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_groups: Convert keys to snake_case. Defaults to True. expand_members: Include full user data for members. Defaults to False. users: Pre-fetched users dict for member expansion. Auto-fetched if needed. sort_by_name: Sort groups by DisplayName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping group IDs to group data with Members list/dict.

create_sso_group(display_name: str, description: str = '', identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Create a group in IAM Identity Center.

Args: display_name: Group display name. description: Group description. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Created group response.

delete_sso_group(group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None

Delete a group from IAM Identity Center.

Args: group_id: The group ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

add_user_to_group(user_id: str, group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Add a user to an SSO group.

Args: user_id: The user ID to add. group_id: The group ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Membership response.

remove_user_from_group(membership_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None

Remove a user from an SSO group.

Args: membership_id: The membership ID to remove. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

list_permission_sets(instance_arn: str | None = None, include_inline_policy: bool = True, include_managed_policies: bool = True, unhump_sets: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

List all permission sets from IAM Identity Center.

Args: instance_arn: SSO instance ARN. Auto-detected if not provided. include_inline_policy: Fetch inline policy for each set. Defaults to True. include_managed_policies: Fetch managed policies for each set. Defaults to True. unhump_sets: Convert keys to snake_case. Defaults to True. sort_by_name: Sort by permission set name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping permission set ARNs to permission set data.

list_account_assignments(account_id: str, permission_set_arn: str, instance_arn: str | None = None, unhump_assignments: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedList[extended_data.containers.ExtendedDict]

List account assignments for a permission set.

Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. instance_arn: SSO instance ARN. Auto-detected if not provided. unhump_assignments: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: List of account assignment dictionaries.

create_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Create an account assignment.

Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. principal_id: User or group ID. principal_type: ‘USER’ or ‘GROUP’. instance_arn: SSO instance ARN. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Account assignment creation status.

delete_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict

Delete an account assignment.

Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. principal_id: User or group ID. principal_type: ‘USER’ or ‘GROUP’. instance_arn: SSO instance ARN. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Account assignment deletion status.