Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
How to get IAM Identity Center User Attributes?
Hi there!
Our AWS users are defined in the IAM Identity Center. They have some custom attributes we defined, like Division. We use them in policy conditions where they have to match correponding EC2 instance tags. Works fine.
I can see and modify those attributes in the AWS Console. But how would I do so in code? aws identitystore describe-user does not include custom attributes. I searched the APIs, but found nothing.
For one, I would like this feature to be able to export all user settings, including their custom attributes. So I can check which users a team has. Be we are also writing an app that will allow users to start and stop "their" instances. If the app cannot retrieve the users' attributes, it would have to act with the user's role, and the policy conditions make sure it only sees matching instances anyway. But this needs the users to sign into AWS, and I want to omit this step for convenience. The users already signed into the app and even have the same user names as in AWS. All would be so much easier if the app simply could read the attributes.
Any insights are much appreciated.
- Tags
- AWS IAM Identity CenterAWS Identity and Access ManagementAWS Command Line InterfaceSecurity, Identity, & Compliance
- Language
- English
- Newest
- Most votes
- Most comments
Hello,
No direct way to get IAM Identity Center user attributes via SDK or CLI.
-
SAML Attribute Mapping: Map custom attributes to SAML claims for your application to access [AWS IAM Identity Center attribute mappings concept] https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html).
-
Lambda with AssumeRole: Develop secure Lambda to assume role and retrieve data with AWS SDK [AWS Lambda documentation](link: https://docs.aws.amazon.com/lambda/latest/dg/welcome.html).
-
Separate User Pool: Create separate user pool in your app to mirror IAM Identity Center users and capture custom attributes.
Hi Narravula,
thanks! I think this gives me some ideas.
The source of the user data should be not IAM Identity Center. Then the app can use SAML claims to check the attributes. Or, if using Cognito, aws cognito-idp could do it. Maybe it is about time anyway to think about some IDP.
I don't get the Lambda part though. Can I assume a user's role without the user having to sign in? And even if assuming the role, can I actually get the attributes, or do they just kick in for the policy conditions?
But yeah, that helped. Thanks again. And sorry for the late reply, somehow I now stumbled upon it with my draft still there, but apparently not posted.
Hi AleXONIVY,
Please go through the below steps i hope it will helps to resolve your issue.
Here's a general approach to achieve what you want:
-
Use AWS SDK for JavaScript (or any other SDK): Since AWS SDK for JavaScript (v3) is commonly used, I’ll provide examples using it. You can adapt the code for other SDKs like Python (boto3) as needed.
-
Create and Manage Custom Attributes: If you need to set or update custom attributes, you would typically use the AWS Management Console or API to update the user profiles. Unfortunately, as of my knowledge cutoff in June 2023, AWS does not provide direct API endpoints to manage custom attributes for users in IAM Identity Center (SSO).
-
Retrieve Custom Attributes via IAM Identity Center: There isn’t a direct API to fetch custom attributes from IAM Identity Center. However, you can use AWS SSO's ListUsers API to retrieve user attributes and then handle custom attributes stored in an external store (like a database) that your application can query.
Here's an example approach using Node.js:
Step 1: Set up AWS SDK
Install AWS SDK for JavaScript (v3):
npm install @aws-sdk/client-identitystore
npm install @aws-sdk/client-sso-admin
Step 2: Code to Retrieve User Attributes
const { IdentitystoreClient, ListUsersCommand } = require('@aws-sdk/client-identitystore');
const { SSOAdminClient, ListInstancesCommand } = require('@aws-sdk/client-sso-admin');
// Initialize clients
const identitystoreClient = new IdentitystoreClient({ region: 'us-west-2' });
const ssoAdminClient = new SSOAdminClient({ region: 'us-west-2' });
// Function to get Identity Store ID
const getIdentityStoreId = async () => {
const instancesCommand = new ListInstancesCommand({});
const response = await ssoAdminClient.send(instancesCommand);
return response.Instances[0].IdentityStoreId; // Assumes single instance
};
// Function to list users
const listUsers = async (identityStoreId) => {
const usersCommand = new ListUsersCommand({ IdentityStoreId: identityStoreId });
const response = await identitystoreClient.send(usersCommand);
return response.Users;
};
// Main function
const main = async () => {
try {
const identityStoreId = await getIdentityStoreId();
const users = await listUsers(identityStoreId);
// Display user attributes
users.forEach(user => {
console.log(`User: ${user.UserName}, Attributes: ${JSON.stringify(user)}`);
// Add code to fetch and display custom attributes from your external store
});
} catch (error) {
console.error(error);
}
};
main();
Step 3: Manage Custom Attributes
Since custom attributes are not directly supported via the Identity Store API, you should maintain these attributes in an external database. For example, use DynamoDB to store and retrieve custom attributes:
Example DynamoDB Structure:
- Table Name: UserAttributes
- Partition Key: UserName (String)
- Attributes: Division, CustomAttribute1, CustomAttribute2, etc.
Step 4: Integrate DynamoDB in the Application
const { DynamoDBClient, GetItemCommand } = require('@aws-sdk/client-dynamodb');
const dynamoDBClient = new DynamoDBClient({ region: 'us-west-2' });
const getCustomAttributes = async (userName) => {
const params = {
TableName: 'UserAttributes',
Key: {
'UserName': { S: userName }
}
};
const command = new GetItemCommand(params);
const response = await dynamoDBClient.send(command);
return response.Item;
};
// Fetch and display custom attributes in the main function
const main = async () => {
try {
const identityStoreId = await getIdentityStoreId();
const users = await listUsers(identityStoreId);
for (const user of users) {
console.log(`User: ${user.UserName}, Attributes: ${JSON.stringify(user)}`);
const customAttributes = await getCustomAttributes(user.UserName);
console.log(`Custom Attributes: ${JSON.stringify(customAttributes)}`);
}
} catch (error) {
console.error(error);
}
};
main();
Relevant content
- asked 3 years ago
- asked a year ago
Thanks Pandurangaswamy,
that is one elaborate answer! However, I think the culprit is this line: // Add code to fetch and display custom attributes from your external store This is what my question is about: How do I do this, if the external store is AWS IAM Identity Management?
Hello AleXONIVY,
There isn't a direct way to fetch and display custom attributes from AWS IAM Identity Center using its current APIs. Try These:
Use OIDC with UIL (if applicable): If feasible, migrate the "Division" information to a User Information List (UIL) attribute and leverage OpenID Connect (OIDC) to retrieve it during user login.
IAM Roles & Tags: Redesign your application to utilize IAM roles with conditions that reference EC2 instance tags ("Division" tag) for access control. This eliminates the need for the application to access user attributes directly.
Create a DynamoDB table to store custom attributes linked to user IDs:
aws dynamodb create-table
--table-name UserAttributes
--attribute-definitions AttributeName=UserId,AttributeType=S
--key-schema AttributeName=UserId,KeyType=HASH
--provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5