A small script to migrate or synchronize users & groups from Okta to AWS SSO

Overview

aws-sso-sync-okta

A small script to migrate or synchronize users & groups from Okta to AWS SSO

Foo Foo Foo

Changelog Version
Remove hardcoded values on variables and enable arguments as group_name 0.5
Fixed search filtering in okta + enable dry run mode 0.6
Enable iterating over a list obtained via SSM Parameter Store) 0.7
Fix error iterating on check_aws_groups 0.8

Current version: 0.8

This script is intended to syncronize all or some selected users from Okta to AWS SSO based on a query filtering by group name on both APIs.

Workflow:

  1. Connect to AWS SSM to get access credentials for both APIs
  2. It asks to OKTA API for groups matching "okta_groups" variable (okta may show more than one match since the search is regexp based )
  3. Get all Group_Id's for the matching groups (if no groups matching exits)
  4. Then for each group found asks for all the users inside those groups
  5. Compare all the users (email) from Okta against AWS SSO and chekcks if the user exists or not in AWS SSO.
  6. If the user exists does nothing, if doesn't creates it.
  7. Then on a second phase asks AWS for groups matching "aws_groups" variable ( exact match )
  8. And search for every user in that groups
  9. If the user does not exists in that group creates it.

Configuration

  1. Get your AWS SSO Setup ready and collect the necessary values (SCIM URL's for users and groups) More info: https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html

  2. Create an API token to ask AWS API.

  3. Create an Okta API token

  4. Save those values into an SSM (Parameter Store) [okta_api_token and amz_sso_api_token]

  5. Put your SCIM URL's into the script

  6. Save and quit

Usage

sync-users.py <group_name>

Considerations

  • Okta API when searching for groups (https://developer.okta.com/docs/reference/api/groups/) as they mention in the documentation, currently performs a startsWith match but it should be considered an implementation detail and may change without notice in the future. To avoid more than one result I strongly sugget to use prefixes as a naming convention for the group names (I.e.: xx_groupname), but for now the script is being modified to do some checks and verify there's only one result. (It's a prevention measeure, of course it can be iterated on a loop if necessary)

Demo:

[email protected][~]> sync-users.py xx_devops

>> Syncing users from Okta to AWS SSO
==========================================
>> Retrieving Group ID's from Okta.........
['xx_devops']
  00g1by6snswq40ERK417 - [ xx_devops ]
>> Getting users from retrieved group ID's .........
>> Got 2 users from Okta
>> Checking AWS SSO users list.....
>> User [ [email protected] ] 93671e0715-1525f435-9359-4c9b-a2fe-13209d15cff8 already exists...
>> User [ [email protected] ] 93671e0715-08b298da-4bce-4f2e-a7b2-18433607d07f already exists...
>> Searching Groups matching: [ xx_devops ]
>> Results found: 1
>> Group ID: 93671e0715-b65a0f2f-ds7d-402d-a05c-91441697f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-91441687f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-914416973fdc
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK

TODO/WIP

  • Iterate over a list of groups to sync multiple groups
  • Get the list of groups from SSM (Parameter Store) instead of passing an argument to the script

Troubleshooting

(WIP)

WARNING: Since this software is not tested enough I would strongly suggest to run it carefully by syncing the groups from OKTA to AWS SSO one by one!! this was you only can screw up one group at time :)

Since the access credentials are stored in Parameter Store (AWS SSM),be sure to launch this script being authenticatd via CLI against the Root Account or where you're configuring the AWS SSO and AWS SSM. Otherwise the script won't be able to find the access credentials for both API's.

Owner
Paul
Devops Engineer
Paul
PaddleOCR推理的pytorch实现和模型转换

PaddleOCR2Pytorch 简介 ”真·白嫖“PaddleOCR 注意 PytorchOCR由PaddleOCR-2.0rc1+动态图版本移植。 特性 高质量推理模型,准确的识别效果 超轻量ptocr_mobile移动端系列 通用ptocr_server系列 支持中英文数字组合识别、竖排文本

519 Jan 08, 2023
Python3 program to control Elgato Ring Light on your local network without Elgato's Control Center software

Elgato Light Controller I'm really happy with my Elgato Key Light from an illumination perspective. However, their control software has been glitchy f

Jeff Tarr 14 Nov 16, 2022
Playing around with the slack api for learning purposes

SlackBotTest Playing around with the slack api for learning purposes and getting people to contribute Reason for this Project: Bots are very versatile

1 Nov 24, 2021
🔪 Block replies to viral tweets from users getting paid to promote useless products

This Tweet Took Off Ublock Origin filter list targeting long reply chains posted by twitter users who get paid to promote random products on viral twe

Xetera 12 Jan 14, 2022
Source code of u/pekofy_bot from reddit.

pekofy-bot Source code of u/pekofy_bot from reddit. Get more info about the bot here: https://www.reddit.com/user/pekofy_bot/comments/krxxol/pekofy_bo

32 Dec 25, 2022
Validate all your Customer IAM Policies against AWS Access Analyzer - Policy Validation

✅ Access Analyzer - Batch Policy Validator This script will analyze using AWS Access Analyzer - Policy Validation all your account customer managed IA

Victor GRENU 41 Dec 12, 2022
Google Sheets Python API v4

pygsheets - Google Spreadsheets Python API v4 A simple, intuitive library for google sheets which gets your work done. Features: Open, create, delete

Nithin Murali 1.4k Jan 08, 2023
Guilherme Matheus 11 Sep 11, 2022
WeChat SDK for Python

___ __ _______ ________ ___ ___ ________ _________ ________ ___ ___ |\ \ |\ \|\ ___ \ |\ ____\|\ \|\ \|\ __ \|\___

wechatpy 3.3k Dec 26, 2022
Zendesk Ticket Viewer is a lightweight commandline client for fetching and displaying tickets from a Zendesk account provided by the user

Zendesk Ticket Viewer is a lightweight commandline client for fetching and displaying tickets from a Zendesk account provided by the user.

Parthesh Soni 1 Jan 24, 2022
Automatically Message From Discord Account

Discord-AutoMessage A robust and versatile solution for automated social interactions HOW TO INSTALL Open cmd cd into your project directory Run the f

13 Jul 11, 2022
Deep reinforcement learning library built on top of Neural Network Libraries

Deep Reinforcement Learning Library built on top of Neural Network Libraries NNablaRL is a deep reinforcement learning library built on top of Neural

Sony 100 Dec 14, 2022
Celestial - a Python regex Discord chatbot who can talk with you.

Celestial a Python regex Discord chat bot who can talk with you. Invite url: https://discord.com/api/oauth2/authorize?client_id=927573556961869825&per

Jirayu Kaewsing 3 Jan 01, 2023
Simple Python Auto Follow Bot

Instagram-Auto-Follow-Bot Description Một IG BOT đơn giản. Tự động follow những người mà bạn muốn cướp follow. Tự động unfollow. Tự động đăng nhập vào

CodingLinhTinh 3 Aug 27, 2022
TG-Streaming-bot - TG Simple Streaming bot

TG Simple Streaming bot telegram video straming bot 🎚️ Features Play youtube li

HyDrix 4 May 05, 2022
iso6.9 is a Discord bot written in Python and is used to make your Discord experience better

iso6.9-2.6stable (debloated) iso.bot is originally made by notsniped#4573. This is a remix of iso.bot by αrchιshα#5518. iso6.9 is a Discord bot writte

Kamilla Youver 2 Jun 10, 2022
Discord-Wrapper - Discord Websocket Wrapper in python

This does not currently work and is in development Discord Websocket Wrapper in

3 Oct 25, 2022
You have 3 files: create mass groups, add mass members, rename all groups (only educational use!)

EDUCATIONAL ONLY! HOW TO INSTALL Edit config.json with your discord account token and the imagepath (if its in the same location as the all_together.p

46 Dec 27, 2022
Discord-RAID-Tool - Hacks/tools

How to use Python must be installed run install-config If you dont have python installed, download python 3.7.6 and make sure you click on the 'ADD TO

1 Jan 01, 2022
Telegram Bot to Connect Strangers

Telegram Bot to Connect Strangers How to Run Set your telegram bot token as environment variable TELEGRAM_BOT_TOKEN: export TELEGRAM_BOT_TOKEN=your_t

PyTopia 12 Dec 24, 2022