https://pulumi.com logo
Title
l

little-cartoon-10569

11/16/2021, 2:39 AM
It looks like there is no way in Pulumi to read or manage SSO principals (users or groups), is this correct?
I need to manage these myself using the AWS SDK?
Or is it normal to get these from your IdP somehow?
Found it, not particularly intuitive...
aws.identitystore.getGroup()
🎉 1
f

freezing-van-87649

11/16/2021, 3:20 AM
Yep, that one took me a while to figure out
r

rapid-raincoat-36492

11/16/2021, 3:41 AM
Of note, this is a limitation of AWS's SDK, there's just no way to manage those AWS identitystore principals without using an external idp, like Okta
l

little-cartoon-10569

11/16/2021, 4:09 AM
Not even the AWS-provided SSO identity store? Not that I want to, it's Okta here, but I thought you could do it natively...
r

rapid-raincoat-36492

11/16/2021, 2:37 PM
Unfortunately not: https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html The only supported actions are
Describe...
and
List...
I'm not on Okta quite yet, so I'm managing in the AWS Console by hand 🙃
l

little-cartoon-10569

11/16/2021, 8:58 PM
I wouldn't expect it to work via the identitystore module. For AWS' identity store, the module would be whatever provides the default AWS SSO identities. directoryservice maybe? Or maybe even IAM, if that's what backs the identitystore (though I don't think it is).
Woeful documentation on AWS in this area. I can't see any way of managing users and groups in the default identity store except via the console...