No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

It looks like there is no way in Pulumi to read or manage SSO principals (users or groups), is this correct?

I need to manage these myself using the AWS SDK?

Or is it normal to get these from your IdP somehow?

Found it, not particularly intuitive... `aws.identitystore.getGroup()`

Yep, that one took me a while to figure out 

Of note, this is a limitation of AWS's SDK, there's just no way to manage those AWS identitystore principals without using an external idp, like Okta

Not even the AWS-provided SSO identity store? Not that I want to, it's Okta here, but I thought you could do it natively...

Unfortunately not: <https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/welcome.html>

The only supported actions are `Describe...` and `List...`

I'm not on Okta quite yet, so I'm managing in the AWS Console by hand :upside_down_face:

I wouldn't expect it to work via the identitystore module. For AWS' identity store, the module would be whatever provides the default AWS SSO identities. directoryservice maybe? Or maybe even IAM, if that's what backs the identitystore (though I don't think it is).

Woeful documentation on AWS in this area. I can't see any way of managing users and groups in the default identity store except via the console...