Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Listing users/groups with delegated console access from AD Connector

0

Hello,

I have an AD Connector directory set up to connect to a self-managed Active Directory deployment. The connection is working correctly and I have enabled AWS Management Console access. I have created a role with a Directory Service trust policy, which I can see in the "Delegate console access" section of the directory page in the console. When I click on the role, I can see a list of users/groups from AD that have been given access to this role.

However, I cannot find anything in the AWS API or SDK documentation that would allow me to retrieve this list of users/groups programatically. I have found the "Directory Services Data" API, but when I tried to enable it for my directory, I received an error message saying

Directory Service Data feature is not supported for this directory type

so it looks like that API is not an option for AD Connector directories.

Is there a way of retrieving the AD users/groups with access to the role using the API or SDK?

Thank you

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Management ConsoleIAM PoliciesAWS Directory ServiceSecurity, Identity, & Compliance
Language
English
asked a year ago206 views
1 Answer
0
Accepted Answer

Unfortunately, the AWS Directory Service Data API is not supported for AD Connector directories. This API, which would allow you to programmatically list users and groups, is only available for AWS Managed Microsoft AD directories.

Based on the available information, there isn't a direct API method to retrieve the list of AD users and groups that have been assigned to IAM roles for console access when using an AD Connector directory. The Directory Service Data functionality, which provides capabilities like listing users and groups, is specifically designed for AWS Managed Microsoft AD and doesn't extend to AD Connector directories.

The error message you received ("Directory Service Data feature is not supported for this directory type") confirms this limitation. While you can view this information in the AWS Management Console by navigating to the role in the "Delegate console access" section, there doesn't appear to be an equivalent programmatic method for AD Connector directories.

You might need to consider alternative approaches, such as maintaining this mapping information separately in your own system, or potentially using IAM APIs to retrieve role information, though these wouldn't directly provide the AD user/group mappings you're looking for.
Sources
AWS Directory Service Data - AWS Directory Service
Manage AWS Managed Microsoft AD users and groups with the AWS Management Console, AWS CLI, or AWS Tools for PowerShell - AWS Directory Service

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content