通过Identity Store API大规模管理和审计 AWS IAM 身份中心的用户和组操作

Manage and audit AWS IAM Identity Center User and Group operations at scale using Identity Store APIs. With these APIs

Here's a Python script that reads user and group information from a CSV file and creates users and groups in AWS IAM Identity Store:

Replace '/Your/File/Path/users.csv' with your file path in the python code

import boto3
import csv
from botocore.exceptions import ClientError

def create_identity_store_user(identity_store_client, identity_store_id, user_data):
    """
    Create a user in the IAM Identity Store
    """
    try:
        response = identity_store_client.create_user(
            IdentityStoreId=identity_store_id,
            UserName=user_data['userName'],
            Name={
                'FamilyName': user_data['lastName'],
                'GivenName': user_data['firstName']
            },
            DisplayName=user_data['displayName'],
            Emails=[
                {
                    'Value': user_data['emailAddress'],
                    'Primary': True
                }
            ]
        )
        print(f"Created user: {user_data['userName']}")
        return response['UserId']
    except ClientError as e:
        if e.response['Error']['Code'] == 'ConflictException':
            print(f"User {user_data['userName']} already exists")
            # Get existing user ID
            response = identity_store_client.list_users(
                IdentityStoreId=identity_store_id,
                Filters=[{
                    'AttributePath': 'UserName',
                    'AttributeValue': user_data['userName']
                }]
            )
            return response['Users'][0]['UserId']
        else:
            print(f"Error creating user {user_data['userName']}: {e}")
            return None

def create_group(identity_store_client, identity_store_id, group_name):
    """
    Create a group in the IAM Identity Store
    """
    try:
        response = identity_store_client.create_group(
            IdentityStoreId=identity_store_id,
            DisplayName=group_name,
            Description=f"Group for {group_name}"
        )
        print(f"Created group: {group_name}")
        return response['GroupId']
    except ClientError as e:
        if e.response['Error']['Code'] == 'ConflictException':
            print(f"Group {group_name} already exists")
            # Get existing group ID
            response = identity_store_client.list_groups(
                IdentityStoreId=identity_store_id,
                Filters=[{
                    'AttributePath': 'DisplayName',
                    'AttributeValue': group_name
                }]
            )
            return response['Groups'][0]['GroupId']
        else:
            print(f"Error creating group {group_name}: {e}")
            return None

def add_user_to_group(identity_store_client, identity_store_id, user_id, group_id):
    """
    Add a user to a group in the IAM Identity Store
    """
    try:
        identity_store_client.create_group_membership(
            IdentityStoreId=identity_store_id,
            GroupId=group_id,
            MemberId={
                'UserId': user_id
            }
        )
        print(f"Added user {user_id} to group {group_id}")
    except ClientError as e:
        if e.response['Error']['Code'] == 'ConflictException':
            print(f"User {user_id} is already a member of group {group_id}")
        else:
            print(f"Error adding user to group: {e}")

def main():
    # Initialize AWS clients
    identity_store_client = boto3.client('identitystore')
    
    # Get the Identity Store ID
    sso_admin_client = boto3.client('sso-admin')
    identity_store = sso_admin_client.list_instances()['Instances'][0]
    identity_store_id = identity_store['IdentityStoreId']

    # Read CSV file
    with open('/Your/File/Path/users.csv', 'r') as file:
        csv_reader = csv.DictReader(file)
        
        # Track created groups
        created_groups = {}
        
        for row in csv_reader:
            # Create user
            user_id = create_identity_store_user(identity_store_client, identity_store_id, row)
            
            if user_id and row['withinGroup']:
                # Create group if it doesn't exist
                if row['withinGroup'] not in created_groups:
                    group_id = create_group(identity_store_client, identity_store_id, row['withinGroup'])
                    created_groups[row['withinGroup']] = group_id
                
                # Add user to group
                if created_groups[row['withinGroup']]:
                    add_user_to_group(
                        identity_store_client,
                        identity_store_id,
                        user_id,
                        created_groups[row['withinGroup']]
                    )

if __name__ == "__main__":
    main()

To use this script, you'll need:

A CSV file named users.csv with the following columns:
- firstName
- lastName
- userName
- displayName
- emailAddress
- withinGroup
AWS credentials configured with appropriate permissions to manage IAM Identity Store
replace '/Your/File/Path/users.csv' with your file path in the python code

Example CSV format:

firstName,lastName,userName,displayName,emailAddress,withinGroup
John,Doe,johndoe,John Doe,john.doe@example.com,Developers
Jane,Smith,janesmith,Jane Smith,jane.smith@example.com,Administrators

To run the script:

Install required dependencies:

pip install boto3

Make sure you have AWS credentials configured (either through AWS CLI or environment variables)
Run the script:

python script.py

The script will:

Read the CSV file
Create users in the IAM Identity Store
Create groups if they don't exist
Add users to their respective groups

Error handling is included for:

Duplicate users/groups
AWS API errors
Basic validation

Important notes:

Make sure you have the necessary permissions in AWS to perform these operations
The script assumes you have only one Identity Store instance
The script will skip creating duplicates but will still try to add users to groups
Error handling is implemented for common scenarios

Customize the script based on your specific requirements, such as:

Adding more error handling
Implementing logging
Adding more user attributes
Implementing validation for input data
Adding support for multiple Identity Stores

Remember to:

Have the correct AWS credentials configured
Have the necessary permissions to manage IAM Identity Store
Have a properly formatted CSV file
Install the required boto3 library

The script will now properly create users, groups, and add users to their respective groups in the IAM Identity Store.

上一页AWS Federated Authentication with Active Directory Federation Services (AD FS)下一页令牌认证和单点登录协议

最后更新于5个月前

import boto3 import csv from botocore.exceptions import ClientError def create_identity_store_user(identity_store_client, identity_store_id, user_data): """ Create a user in the IAM Identity Store """ try: response = identity_store_client.create_user( IdentityStoreId=identity_store_id, UserName=user_data['userName'], Name={ 'FamilyName': user_data['lastName'], 'GivenName': user_data['firstName'] }, DisplayName=user_data['displayName'], Emails=[ { 'Value': user_data['emailAddress'], 'Primary': True } ] ) print(f"Created user: {user_data['userName']}") return response['UserId'] except ClientError as e: if e.response['Error']['Code'] == 'ConflictException': print(f"User {user_data['userName']} already exists") # Get existing user ID response = identity_store_client.list_users( IdentityStoreId=identity_store_id, Filters=[{ 'AttributePath': 'UserName', 'AttributeValue': user_data['userName'] }] ) return response['Users'][0]['UserId'] else: print(f"Error creating user {user_data['userName']}: {e}") return None def create_group(identity_store_client, identity_store_id, group_name): """ Create a group in the IAM Identity Store """ try: response = identity_store_client.create_group( IdentityStoreId=identity_store_id, DisplayName=group_name, Description=f"Group for {group_name}" ) print(f"Created group: {group_name}") return response['GroupId'] except ClientError as e: if e.response['Error']['Code'] == 'ConflictException': print(f"Group {group_name} already exists") # Get existing group ID response = identity_store_client.list_groups( IdentityStoreId=identity_store_id, Filters=[{ 'AttributePath': 'DisplayName', 'AttributeValue': group_name }] ) return response['Groups'][0]['GroupId'] else: print(f"Error creating group {group_name}: {e}") return None def add_user_to_group(identity_store_client, identity_store_id, user_id, group_id): """ Add a user to a group in the IAM Identity Store """ try: identity_store_client.create_group_membership( IdentityStoreId=identity_store_id, GroupId=group_id, MemberId={ 'UserId': user_id } ) print(f"Added user {user_id} to group {group_id}") except ClientError as e: if e.response['Error']['Code'] == 'ConflictException': print(f"User {user_id} is already a member of group {group_id}") else: print(f"Error adding user to group: {e}") def main(): # Initialize AWS clients identity_store_client = boto3.client('identitystore') # Get the Identity Store ID sso_admin_client = boto3.client('sso-admin') identity_store = sso_admin_client.list_instances()['Instances'][0] identity_store_id = identity_store['IdentityStoreId'] # Read CSV file with open('/Your/File/Path/users.csv', 'r') as file: csv_reader = csv.DictReader(file) # Track created groups created_groups = {} for row in csv_reader: # Create user user_id = create_identity_store_user(identity_store_client, identity_store_id, row) if user_id and row['withinGroup']: # Create group if it doesn't exist if row['withinGroup'] not in created_groups: group_id = create_group(identity_store_client, identity_store_id, row['withinGroup']) created_groups[row['withinGroup']] = group_id # Add user to group if created_groups[row['withinGroup']]: add_user_to_group( identity_store_client, identity_store_id, user_id, created_groups[row['withinGroup']] ) if __name__ == "__main__": main()