AWS IAM Identity Center (SSO) - Assign Group to Organizational Unit

Question

Hi all,

Working on an enterprise architecture/environment, having a huge number of AWS Accounts, We are facing some difficulties to assign Users/Groups to multiple-accounts.

So I'm asking if there is a way to assign Users/Groups to the whole Organizational Unit instead of selecting multiple-accounts each time we need to give access to a new employee/developer ?

![Enter image description here](/media/postImages/original/IM_xwCEHwMRBuSPJhg0x3ELw)

Thanks alot

Peter

Answer

As far as I know, we can't specify OU to assign AWS accounts to Users/Groups.
You would be able to easily implement it by AWS CLI or SDK.

If AWS CLI, the following commands help you.
https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts-for-parent.html
https://docs.aws.amazon.com/cli/latest/reference/sso-admin/create-account-assignment.html

Answer

Possible with a little tweak using “ssoutil::SSO::AssignmentGroup” cloud formation macro from aws-sso-util

* https://github.com/benkehoe/aws-sso-util/blob/master/macro/template.yaml
* https://medium.com/smg-real-estate/automating-multi-account-permission-management-with-aws-iam-identity-center-previously-aws-sso-b1d85281963

AWS IAM Identity Center (SSO) - Assign Group to Organizational Unit

Relevanter Inhalt