IAM Identity Center ID 및 해당 할당 목록을 내보내려면 어떻게 해야 합니까?
5분 분량
0
AWS Organizations에서 멤버 계정 전체의 모든 AWS IAM Identity Center 권한 집합과 해당 권한 집합에 할당된 위탁자의 목록을 내보내려고 합니다.
간략한 설명
IAM Identity Center 권한 집합에 대한 보고서를 생성하려면 Python 스크립트를 사용하십시오. 지정된 위탁자와 권한 집합에 대한 JSON 보고서를 생성하거나 권한 집합이 할당된 계정의 .csv 파일을 생성할 수 있습니다.
중요:
- IAM Identity Center API의 최대 총 스로틀은 초당 트랜잭션(TPS) 20개입니다.
참고: RequestLimitExceeded 및 ThrottlingException 오류가 발생하는 경우 워크로드의 API 스로틀링 관리 및 모니터링을 참조하십시오. - 스크립트에 계정을 많이 포함할수록 보고서를 생성하는 데 시간이 더 오래 걸립니다.
해결 방법
참고: AWS Command Line Interface(AWS CLI) 명령을 실행할 때 오류가 발생하면 AWS CLI의 오류 해결을 참조하십시오. 또한 최신 AWS CLI 버전을 사용하고 있는지 확인하십시오.
사전 요구 사항:
- AWS SDK for Python(Boto3)을 설치 또는 업데이트합니다.
- 다음 방법 중 하나를 사용하여 적절한 자격 증명으로 AWS CLI와 AWS SDK for Python을 구성하십시오.
configure AWS CLI 명령을 실행합니다. 자세한 내용은 AWS CLI 명령을 사용한 구성을 참조하십시오.
임시 보안 자격 증명을 사용합니다. - 다음 권한을 가진 IAM 위탁자에 대한 자격 증명을 사용하여 AWS CLI의 프로필을 구성합니다.
IAM Identity Center의 Organizations 관리 계정 또는 위임된 관리자 계정에 대한 액세스를 허용합니다.
AWSSSOReadOnly 및 AWSSSODirectoryReadOnly AWS 관리형 정책을 연결합니다.
위탁자가 지정된 권한 집합에 대한 보고서 생성
다음 단계를 완료합니다.
-
다음 Python 스크립트를 .py 확장자로 저장합니다(예: permission_sets_report.py).
import boto3, json idstoreclient = boto3.client('identitystore') ssoadminclient = boto3.client('sso-admin') orgsclient= boto3.client('organizations') users={} groups={} permissionSets={} Accounts=[] Instances= (ssoadminclient.list_instances()).get('Instances') InstanceARN=Instances[0].get('InstanceArn') IdentityStoreId=Instances[0].get('IdentityStoreId') #Dictionary mapping User IDs to usernames def mapUserIDs(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId) ListOfUsers=ListUsers['Users'] while 'NextToken' in ListUsers.keys(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId,NextToken=ListUsers['NextToken']) ListOfUsers.extend(ListUsers['Users']) for eachUser in ListOfUsers: users.update({eachUser.get('UserId'):eachUser.get('UserName')}) mapUserIDs() #Dictionary mapping Group IDs to display names def mapGroupIDs(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId) ListOfGroups=ListGroups['Groups'] while 'NextToken' in ListGroups.keys(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId,NextToken=ListGroups['NextToken']) ListOfGroups.extend(ListGroups['Groups']) for eachGroup in ListOfGroups: groups.update({eachGroup.get('GroupId'):eachGroup.get('DisplayName')}) mapGroupIDs() #Dictionary mapping permission set ARNs to permission set names def mapPermissionSetIDs(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN) ListOfPermissionSets=ListPermissionSets['PermissionSets'] while 'NextToken' in ListPermissionSets.keys(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN,NextToken=ListPermissionSets['NextToken']) ListOfPermissionSets.extend(ListPermissionSets['PermissionSets']) for eachPermissionSet in ListOfPermissionSets: permissionSetDescription=ssoadminclient.describe_permission_set(InstanceArn=InstanceARN,PermissionSetArn=eachPermissionSet) permissionSetDetails=permissionSetDescription.get('PermissionSet') permissionSets.update({permissionSetDetails.get('PermissionSetArn'):permissionSetDetails.get('Name')}) mapPermissionSetIDs() #Listing Permissionsets provisioned to an account def GetPermissionSetsProvisionedToAccount(AccountID): ListOfPermissionSetsProvisionedToAccount=[] PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID) try: ListOfPermissionSetsProvisionedToAccount = PermissionSetsProvisionedToAccount['PermissionSets'] while 'NextToken' in PermissionSetsProvisionedToAccount.keys(): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID,NextToken=PermissionSetsProvisionedToAccount['NextToken']) ListOfPermissionSetsProvisionedToAccount.extend(PermissionSetsProvisionedToAccount['PermissionSets']) return(ListOfPermissionSetsProvisionedToAccount) except: return(ListOfPermissionSetsProvisionedToAccount) #To retrieve the assignment of each permissionset/user/group/account assignment def ListAccountAssignments(AccountID): PermissionSetsList=GetPermissionSetsProvisionedToAccount(AccountID) Assignments=[] for permissionSet in PermissionSetsList: AccountAssignments=ssoadminclient.list_account_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet) Assignments.extend(AccountAssignments['AccountAssignments']) while 'NextToken' in AccountAssignments.keys(): AccountAssignments=ssoadminclient.list_aaccount_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet,NextToken=AccountAssignments['NextToken']) Assignments.extend(AccountAssignments['AccountAssignments']) return(Assignments) #To list all the accounts in the organization def ListAccountsInOrganization(): AccountsList=orgsclient.list_accounts() ListOfAccounts=AccountsList['Accounts'] while 'NextToken' in AccountsList.keys(): AccountsList=orgsclient.list_accounts(NextToken=AccountsList['NextToken']) ListOfAccounts.extend(AccountsList['Accounts']) for eachAccount in ListOfAccounts: Accounts.append(str(eachAccount.get('Id'))) return(Accounts) #To translate set datatype to json class SetEncoder(json.JSONEncoder): def default(self, obj): if isinstance(obj, set): return list(obj) return json.JSONEncoder.default(self, obj) def GetListOfAssignmentsForPermissionSets(): ListOfAccountIDs=ListAccountsInOrganization() entries=[] PermissionSetListForAssignments={} for eachAccountID in ListOfAccountIDs: GetAccountAssignments=ListAccountAssignments(eachAccountID) for eachAssignment in GetAccountAssignments: if(permissionSets.get(eachAssignment.get('PermissionSetArn'))) not in PermissionSetListForAssignments.keys(): SetOfUsersandGroups={'Users':set(),'Groups':set()} PermissionSetListForAssignments[permissionSets.get(eachAssignment.get('PermissionSetArn'))]=SetOfUsersandGroups SetOfUsersandGroups=PermissionSetListForAssignments.get(permissionSets.get(eachAssignment.get('PermissionSetArn'))) if(eachAssignment.get('PrincipalType')=='GROUP'): setOfGroups=SetOfUsersandGroups.get('Groups') setOfGroups.add(groups.get(eachAssignment.get('PrincipalId'))) SetOfUsersandGroups.update({'Groups':setOfGroups}) PermissionSetListForAssignments.update({permissionSets.get(eachAssignment.get('PermissionSetArn')):SetOfUsersandGroups}) else: setOfUsers=SetOfUsersandGroups.get('Users') setOfUsers.add(users.get(eachAssignment.get('PrincipalId'))) SetOfUsersandGroups.update({'Users':setOfUsers}) PermissionSetListForAssignments.update({permissionSets.get(eachAssignment.get('PermissionSetArn')):SetOfUsersandGroups}) with open("AssignmentsForPermissionSets.json", "w") as outfile: json.dump(PermissionSetListForAssignments, outfile, cls=SetEncoder) print("Done!AssignmentsForPermissionSets.json generated successfully!") GetListOfAssignmentsForPermissionSets()참고: "IndexError: list index out of range" 오류가 발생하면 스크립트가 IAM Identity Center를 구성한 리전이 아닌 AWS 리전에 있는 것입니다.
-
터미널(macOS) 또는 PowerShell(Windows) 창에서 Python 스크립트를 실행합니다.
스크립트는 권한 집합과 해당 권한 집합에 할당된 위탁자가 포함된 AssignmentsForPermissionSets.json이라는 JSON 파일을 생성합니다.
출력 예시:
{ "AdministratorAccess": { "Users": [ "Charlie", "Ted" ], "Groups": [ "Admins", "Developers" ] }, "PowerUserAccess": { "Users": [ "Chandler", "Joey" ], "Groups": [ "Developers", "Testers" ] }, "SystemAdministrator": { "Users": [ "Sherlock" ], "Groups": [ "DevOps" ] } }
참고: 권한 집합이 보고서에 없는 경우 계정에 대한 권한 집합을 프로비저닝하지 않은 것입니다.
계정의 권한 집합 할당이 포함된 보고서 생성
다음 단계를 완료합니다.
-
다음 Python 스크립트를 .py 확장자로 저장합니다(예: account_assignments_report.py).
import boto3, csv idstoreclient = boto3.client('identitystore') ssoadminclient = boto3.client('sso-admin') orgsclient= boto3.client('organizations') users={} groups={} permissionSets={} Accounts={} Instances= (ssoadminclient.list_instances()).get('Instances') InstanceARN=Instances[0].get('InstanceArn') IdentityStoreId=Instances[0].get('IdentityStoreId') #Dictionary mapping User IDs to usernames def mapUserIDs(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId) ListOfUsers=ListUsers['Users'] while 'NextToken' in ListUsers.keys(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId,NextToken=ListUsers['NextToken']) ListOfUsers.extend(ListUsers['Users']) for eachUser in ListOfUsers: users.update({eachUser.get('UserId'):eachUser.get('UserName')}) mapUserIDs() #Dictionary mapping Group IDs to display names def mapGroupIDs(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId) ListOfGroups=ListGroups['Groups'] while 'NextToken' in ListGroups.keys(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId,NextToken=ListGroups['NextToken']) ListOfGroups.extend(ListGroups['Groups']) for eachGroup in ListOfGroups: groups.update({eachGroup.get('GroupId'):eachGroup.get('DisplayName')}) mapGroupIDs() #Dictionary mapping permission set ARNs to permission set names def mapPermissionSetIDs(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN) ListOfPermissionSets=ListPermissionSets['PermissionSets'] while 'NextToken' in ListPermissionSets.keys(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN,NextToken=ListPermissionSets['NextToken']) ListOfPermissionSets.extend(ListPermissionSets['PermissionSets']) for eachPermissionSet in ListOfPermissionSets: permissionSetDescription=ssoadminclient.describe_permission_set(InstanceArn=InstanceARN,PermissionSetArn=eachPermissionSet) permissionSetDetails=permissionSetDescription.get('PermissionSet') permissionSets.update({permissionSetDetails.get('PermissionSetArn'):permissionSetDetails.get('Name')}) mapPermissionSetIDs() #Listing Permissionsets provisioned to an account def GetPermissionSetsProvisionedToAccount(AccountID): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID) ListOfPermissionSetsProvisionedToAccount = PermissionSetsProvisionedToAccount['PermissionSets'] while 'NextToken' in PermissionSetsProvisionedToAccount.keys(): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID,NextToken=PermissionSetsProvisionedToAccount['NextToken']) ListOfPermissionSetsProvisionedToAccount.extend(PermissionSetsProvisionedToAccount['PermissionSets']) return(ListOfPermissionSetsProvisionedToAccount) #To retrieve the assignment of each permissionset/user/group/account assignment def ListAccountAssignments(AccountID): PermissionSetsList=GetPermissionSetsProvisionedToAccount(AccountID) Assignments=[] for permissionSet in PermissionSetsList: AccountAssignments=ssoadminclient.list_account_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet) Assignments.extend(AccountAssignments['AccountAssignments']) while 'NextToken' in AccountAssignments.keys(): AccountAssignments=ssoadminclient.list_aaccount_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet,NextToken=AccountAssignments['NextToken']) Assignments.extend(AccountAssignments['AccountAssignments']) return(Assignments) #To list all the accounts in the organization def ListAccountsInOrganization(): AccountsList=orgsclient.list_accounts() ListOfAccounts=AccountsList['Accounts'] while 'NextToken' in AccountsList.keys(): AccountsList=orgsclient.list_accounts(NextToken=AccountsList['NextToken']) ListOfAccounts.extend(AccountsList['Accounts']) for eachAccount in ListOfAccounts: Accounts.update({eachAccount.get('Id'):eachAccount.get('Name')}) return(Accounts) def WriteToExcel(): Accounts=ListAccountsInOrganization() ListOfAccountIDs=list(Accounts.keys()) entries=[] for eachAccountID in ListOfAccountIDs: try: GetAccountAssignments=ListAccountAssignments(eachAccountID) for eachAssignment in GetAccountAssignments: entry=[] entry.append(eachAssignment.get('AccountId')) entry.append(Accounts.get(eachAssignment.get('AccountId'))) entry.append(permissionSets.get(eachAssignment.get('PermissionSetArn'))) entry.append(eachAssignment.get('PrincipalType')) if(eachAssignment.get('PrincipalType')=='GROUP'): entry.append(groups.get(eachAssignment.get('PrincipalId'))) else: entry.append(users.get(eachAssignment.get('PrincipalId'))) entries.append(entry) except: continue filename = "IdentityStoreReport.csv" headers=['Account ID', 'Account Name', 'Permission Set','Principal Type', 'Principal'] with open(filename, 'w') as report: csvwriter = csv.writer(report) csvwriter.writerow(headers) csvwriter.writerows(entries) print("Done! 'IdentityStoreReport.csv' report is generated successfully!") WriteToExcel() -
터미널(macOS) 또는 PowerShell(Windows) 창에서 Python 스크립트를 실행합니다.
스크립트는 계정 할당이 포함된 ** IdentityStoreReport.csv**라는 .csv 파일을 생성합니다. 시스템은 권한 집합 보고서와 동일한 디렉터리에 .csv 파일을 저장합니다.
.csv 파일 출력의 예:
| 계정 ID | 계정 이름 | 권한 집합 | 위탁자 유형 | 위탁자 |
| 123456789012 | Development | PowerUserAccess | GROUP | Developers |
| 123456789012 | Development | PowerUserAccess | USER | Ross |
| 123456789012 | Development | AdministratorAccess | USER | Phoebe |
| 123456789012 | Development | SystemAdministrator | USER | Jake |
| 345678901234 | Production | AdministratorAccess | GROUP | Admins |
| 345678901234 | Production | AdministratorAccess | GROUP | Testing |
| 901234567890 | Staging | PowerUserAccess | GROUP | Testing |
| 901234567890 | Staging | AdministratorAccess | GROUP | Client |
| 901234567890 | Staging | PowerUserAccess | USER | Gina |
| 901234567890 | Staging | PowerUserAccess | GROUP | Admins |
참고: 계정이 보고서에 없는 경우 계정에 대한 권한 집합을 프로비저닝하지 않은 것입니다.
- 언어
- 한국어
AWS 공식업데이트됨 3달 전
댓글 없음
관련 콘텐츠
- 질문됨 일 년 전
- 질문됨 일 년 전
