vendor_connectors.aws.sso

`vendor_connectors.aws.sso`

AWS IAM Identity Center (SSO) operations.

This module provides operations for managing AWS SSO users, groups, permission sets, and account assignments through IAM Identity Center.

Module Contents

Classes

`AWSSSOmixin`	Mixin providing AWS SSO/Identity Center operations.

API

class vendor_connectors.aws.sso.AWSSSOmixin

Mixin providing AWS SSO/Identity Center operations.

This mixin requires the base AWSConnector class to provide:

get_aws_client()
logger
execution_role_arn

get_identity_store_id(execution_role_arn: str | None = None) → str

Get the IAM Identity Center identity store ID.

Args: execution_role_arn: ARN of role to assume for cross-account access.

Returns: The identity store ID.

Raises: RuntimeError: If no SSO instance found.

get_sso_instance_arn(execution_role_arn: str | None = None) → str

Get the IAM Identity Center instance ARN.

Args: execution_role_arn: ARN of role to assume for cross-account access.

Returns: The SSO instance ARN.

Raises: RuntimeError: If no SSO instance found.

list_sso_users(identity_store_id: str | None = None, unhump_users: bool = True, flatten_name: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

List all users from IAM Identity Center.

Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_users: Convert keys to snake_case. Defaults to True. flatten_name: Flatten Name sub-object into user dict. Defaults to True. sort_by_name: Sort users by UserName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping user IDs to user data.

get_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any] | None

Get a specific SSO user by ID.

Args: user_id: The user ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: User dictionary or None if not found.

create_sso_user(user_name: str, display_name: str, given_name: str | None = None, family_name: str | None = None, emails: list[dict[str, Any]] | None = None, identity_store_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Create a user in IAM Identity Center.

Args: user_name: Unique username. display_name: Display name. given_name: First name. family_name: Last name. emails: List of email objects with Value, Type, Primary keys. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Created user response.

delete_sso_user(user_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) → None

Delete a user from IAM Identity Center.

Args: user_id: The user ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

list_sso_groups(identity_store_id: str | None = None, unhump_groups: bool = True, expand_members: bool = False, users: dict[str, dict[str, Any]] | None = None, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

List all groups from IAM Identity Center.

Args: identity_store_id: Identity store ID. Auto-detected if not provided. unhump_groups: Convert keys to snake_case. Defaults to True. expand_members: Include full user data for members. Defaults to False. users: Pre-fetched users dict for member expansion. Auto-fetched if needed. sort_by_name: Sort groups by DisplayName. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping group IDs to group data with Members list/dict.

_get_group_members(group_id: str, identity_store_id: str, identitystore: Any, expand_members: bool = False, users: dict[str, dict[str, Any]] | None = None) → list[str] | dict[str, dict[str, Any]]

Get members of an SSO group.

Args: group_id: The group ID. identity_store_id: Identity store ID. identitystore: Pre-created identitystore client. expand_members: Return full user data instead of just IDs. users: Pre-fetched users dict for expansion.

Returns: List of user IDs or dict mapping user IDs to user data.

create_sso_group(display_name: str, description: str = ”, identity_store_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Create a group in IAM Identity Center.

Args: display_name: Group display name. description: Group description. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Created group response.

delete_sso_group(group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) → None

Delete a group from IAM Identity Center.

Args: group_id: The group ID to delete. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

add_user_to_group(user_id: str, group_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Add a user to an SSO group.

Args: user_id: The user ID to add. group_id: The group ID. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Membership response.

remove_user_from_group(membership_id: str, identity_store_id: str | None = None, execution_role_arn: str | None = None) → None

Remove a user from an SSO group.

Args: membership_id: The membership ID to remove. identity_store_id: Identity store ID. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

list_permission_sets(instance_arn: str | None = None, include_inline_policy: bool = True, include_managed_policies: bool = True, unhump_sets: bool = True, sort_by_name: bool = False, execution_role_arn: str | None = None) → dict[str, dict[str, Any]]

List all permission sets from IAM Identity Center.

Args: instance_arn: SSO instance ARN. Auto-detected if not provided. include_inline_policy: Fetch inline policy for each set. Defaults to True. include_managed_policies: Fetch managed policies for each set. Defaults to True. unhump_sets: Convert keys to snake_case. Defaults to True. sort_by_name: Sort by permission set name. Defaults to False. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Dictionary mapping permission set ARNs to permission set data.

_get_managed_policies_for_permission_set(instance_arn: str, permission_set_arn: str, sso_admin: Any) → list[dict[str, Any]]

Get managed policies attached to a permission set.

list_account_assignments(account_id: str, permission_set_arn: str, instance_arn: str | None = None, unhump_assignments: bool = True, execution_role_arn: str | None = None) → list[dict[str, Any]]

List account assignments for a permission set.

Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. instance_arn: SSO instance ARN. Auto-detected if not provided. unhump_assignments: Convert keys to snake_case. Defaults to True. execution_role_arn: ARN of role to assume for cross-account access.

Returns: List of account assignment dictionaries.

create_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Create an account assignment.

Args: account_id: AWS account ID. permission_set_arn: Permission set ARN. principal_id: User or group ID. principal_type: ‘USER’ or ‘GROUP’. instance_arn: SSO instance ARN. Auto-detected if not provided. execution_role_arn: ARN of role to assume for cross-account access.

Returns: Account assignment creation status.

delete_account_assignment(account_id: str, permission_set_arn: str, principal_id: str, principal_type: str, instance_arn: str | None = None, execution_role_arn: str | None = None) → dict[str, Any]

Delete an account assignment.

Returns: Account assignment deletion status.