It looks like there is no way in Pulumi to read or manage SSO principals (users or groups), is this correct?

Yep, that one took me a while to figure out

Of note, this is a limitation of AWS's SDK, there's just no way to manage those AWS identitystore principals without using an external idp, like Okta

Not even the AWS-provided SSO identity store? Not that I want to, it's Okta here, but I thought you could do it natively...

Unfortunately not: https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html The only supported actions are

Describe...

and

List...

I'm not on Okta quite yet, so I'm managing in the AWS Console by hand 🙃

I wouldn't expect it to work via the identitystore module. For AWS' identity store, the module would be whatever provides the default AWS SSO identities. directoryservice maybe? Or maybe even IAM, if that's what backs the identitystore (though I don't think it is).