https://pulumi.com logo
Join Slack
Powered by
Hi everyone! I'm implementing sync of our LDAP/AD ...
# getting-started
a
Hi everyone! I'm implementing sync of our LDAP/AD to AWS users and groups trough Pulumi and in case if user is disabled in LDAP I need to disable him in AWS. In AWS Console there is an option to disable console login + I can disable all secret keys registered for that user would you hint me how to do it in Pulumi? I don't see much options/args in 
aws.iam.User
Also user might have multiple access keys, so need to iterate trough each one
h
You want to look at Access Keys: https://www.pulumi.com/registry/packages/aws/api-docs/iam/accesskey/ to control access keys and the ability to log into the console is controlled by https://www.pulumi.com/registry/packages/aws/api-docs/iam/userloginprofile/
You might consider SAML integration as an alternative approach if you haven't already
a
is that correct approach:
Copy code
for key in aws.iam.get_access_keys(aws_user.name).access_keys:
        key.update({"status":"Inactive"})
?
and in 
UserLoginProfile
I still didn't get how to prevent console login?
h
I think you delete the UserLoginProfile to prevent access
I haven't done this in Pulumi, but I'm presuming it is similar to how its down in Terraform, just triyng to help you keep moving forward
a
hmmm how do I delete it in pulumi?
i mean when we create it it trough pulumi, delete is simple but we create aws.iam.User, not the 
UserLoginProfile
so I dont her ref on that obejct to delete it
h
You could import it and then delete it, or it might just be easier to use boto3 to do it in a single step.
a
ah yes, good point, might use boto3 directly
need to research on SAML, maybe I'm truly inventing the bicycle
h
Yeah, SAML will sync between AD and Identity Center... then you control access using group membership and you don't have to actually disable console/keys, you just remove people from groups which means they can authenticate still but they don't have any permissions
Open in Slack
PreviousNext
Powered by