vendor_fabric.aws.sso¶
AWS IAM Identity Center (SSO) operations.
This module provides operations for managing AWS SSO users, groups, permission sets, and account assignments through IAM Identity Center.
Module Contents¶
Classes¶
Mixin providing AWS SSO/Identity Center operations. |
API¶
- class vendor_fabric.aws.sso.AWSSSOmixin¶
Mixin providing AWS SSO/Identity Center operations.
This mixin requires the base AWSConnector class to provide:
get_aws_client()
logger
execution_role_arn
- get_identity_store_id(execution_role_arn: str | None = None) extended_data.containers.ExtendedString¶
Get the IAM Identity Center identity store ID.
Args: execution_role_arn: ARN of role to assume for cross-account access.
Returns: The identity store ID.
Raises: RuntimeError: If no SSO instance found.
- get_sso_instance_arn(execution_role_arn: str | None = None) extended_data.containers.ExtendedString¶
Get the IAM Identity Center instance ARN.
Args: execution_role_arn: ARN of role to assume for cross-account access.
Returns: The SSO instance ARN.
Raises: RuntimeError: If no SSO instance found.
- list_sso_users(identity_store_id: str | None = None, unhump_users: bool = True, flatten_name: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
List all users from IAM Identity Center.
Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_users: Convert keys to snake_case. Defaults to True. flatten_name: Flatten Name sub-object into user dict. Defaults to True. sort_by_name: Sort users by UserName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping user IDs to user data.
- get_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict | None¶
Get a specific SSO user by ID.
Args: user_id: The user ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: User dictionary or None if not found.
- create_sso_user(user_name: str, display_name: str, given_name: str | None = None, family_name: str | None = None, emails: collections.abc.Sequence[collections.abc.Mapping[str, Any]] | None = None, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Create a user in IAM Identity Center.
Args: user_name: Unique username. display_name: Display name. given_name: First name. family_name: Last name. emails: List of email objects with Value, Type, Primary keys. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Created user response.
- delete_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None¶
Delete a user from IAM Identity Center.
Args: user_id: The user ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
- list_sso_groups(identity_store_id: str | None = None, unhump_groups: bool = True, expand_members: bool = False, users: collections.abc.Mapping[str, collections.abc.Mapping[str, Any]] | None = None, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
List all groups from IAM Identity Center.
Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_groups: Convert keys to snake_case. Defaults to True. expand_members: Include full user data for members. Defaults to False. users: Pre-fetched users dict for member expansion. Auto-fetched if needed. sort_by_name: Sort groups by DisplayName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping group IDs to group data with Members list/dict.
- create_sso_group(display_name: str, description: str = '', identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Create a group in IAM Identity Center.
Args: display_name: Group display name. description: Group description. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Created group response.
- delete_sso_group(group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None¶
Delete a group from IAM Identity Center.
Args: group_id: The group ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
- add_user_to_group(user_id: str, group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Add a user to an SSO group.
Args: user_id: The user ID to add. group_id: The group ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Membership response.
- remove_user_from_group(membership_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) None¶
Remove a user from an SSO group.
Args: membership_id: The membership ID to remove. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
- list_permission_sets(instance_arn: str | None = None, include_inline_policy: bool = True, include_managed_policies: bool = True, unhump_sets: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
List all permission sets from IAM Identity Center.
Args: instance_arn: SSO instance ARN. Auto-detected if not provided. include_inline_policy: Fetch inline policy for each set. Defaults to True. include_managed_policies: Fetch managed policies for each set. Defaults to True. unhump_sets: Convert keys to snake_case. Defaults to True. sort_by_name: Sort by permission set name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Dictionary mapping permission set ARNs to permission set data.
- list_account_assignments(account_id: str, permission_set_arn: str, instance_arn: str | None = None, unhump_assignments: bool = True, execution_role_arn: str | None = None) extended_data.containers.ExtendedList[extended_data.containers.ExtendedDict]¶
List account assignments for a permission set.
Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. instance_arn: SSO instance ARN. Auto-detected if not provided. unhump_assignments: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.
Returns: List of account assignment dictionaries.
- create_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Create an account assignment.
Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. principal_id: User or group ID. principal_type: ‘USER’ or ‘GROUP’. instance_arn: SSO instance ARN. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Account assignment creation status.
- delete_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) extended_data.containers.ExtendedDict¶
Delete an account assignment.
Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. principal_id: User or group ID. principal_type: ‘USER’ or ‘GROUP’. instance_arn: SSO instance ARN. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.
Returns: Account assignment deletion status.