如何导出 IAM Identity Center 身份列表及其分配?
5 分钟阅读
0
我想导出所有 AWS IAM Identity Center 权限集及其在 AWS Organizations 成员账户中分配的主体的列表。
简短描述
要生成 IAM Identity Center 权限集的报告,请使用 Python 脚本。您可以创建包含权限集及其分配主体的 JSON 报告,或包含账户及其权限集分配的 .csv 文件。
重要事项:
- IAM Identity Center API 的最大总体限制为每秒 20 笔事务 (TPS)。
**注意:**如果您收到 RequestLimitExceeded 和 ThrottlingException 错误,请参阅 Managing and monitoring API throttling in your workloads(管理和监控工作负载中的 API 限制)。 - 您在脚本中包含的账户越多,生成报告所需的时间就越长。
解决方法
**注意:**如果您在运行 AWS 命令行界面 (AWS CLI) 命令时收到错误,请参阅 AWS CLI 错误故障排除。此外,请确保您使用的是最新版本的 AWS CLI。
先决条件:
- 安装或更新适用于 Python 的 AWS SDK (Boto3)。
- 使用以下方法之一为 AWS CLI 和适用于 Python 的 AWS SDK 配置相应的凭证:
运行 configure AWS CLI 命令。有关详细信息,请参阅使用 AWS CLI 命令进行配置。
使用临时安全凭证。 - 为 AWS CLI 配置一个包含 IAM 主体凭证的配置文件,该 IAM 主体需具备以下权限:
允许访问 IAM Identity Center 的 Organizations 管理账户或委派管理员账户。
附加 AWSSSOReadOnly 和 AWSSSODirectoryReadOnly AWS 托管策略。
生成包含分配主体的权限集报告
完成以下步骤:
-
使用 .py 扩展名保存以下 Python 脚本,例如 permission_sets_report.py:
import boto3, json idstoreclient = boto3.client('identitystore') ssoadminclient = boto3.client('sso-admin') orgsclient= boto3.client('organizations') users={} groups={} permissionSets={} Accounts=[] Instances= (ssoadminclient.list_instances()).get('Instances') InstanceARN=Instances[0].get('InstanceArn') IdentityStoreId=Instances[0].get('IdentityStoreId') #Dictionary mapping User IDs to usernames def mapUserIDs(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId) ListOfUsers=ListUsers['Users'] while 'NextToken' in ListUsers.keys(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId,NextToken=ListUsers['NextToken']) ListOfUsers.extend(ListUsers['Users']) for eachUser in ListOfUsers: users.update({eachUser.get('UserId'):eachUser.get('UserName')}) mapUserIDs() #Dictionary mapping Group IDs to display names def mapGroupIDs(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId) ListOfGroups=ListGroups['Groups'] while 'NextToken' in ListGroups.keys(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId,NextToken=ListGroups['NextToken']) ListOfGroups.extend(ListGroups['Groups']) for eachGroup in ListOfGroups: groups.update({eachGroup.get('GroupId'):eachGroup.get('DisplayName')}) mapGroupIDs() #Dictionary mapping permission set ARNs to permission set names def mapPermissionSetIDs(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN) ListOfPermissionSets=ListPermissionSets['PermissionSets'] while 'NextToken' in ListPermissionSets.keys(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN,NextToken=ListPermissionSets['NextToken']) ListOfPermissionSets.extend(ListPermissionSets['PermissionSets']) for eachPermissionSet in ListOfPermissionSets: permissionSetDescription=ssoadminclient.describe_permission_set(InstanceArn=InstanceARN,PermissionSetArn=eachPermissionSet) permissionSetDetails=permissionSetDescription.get('PermissionSet') permissionSets.update({permissionSetDetails.get('PermissionSetArn'):permissionSetDetails.get('Name')}) mapPermissionSetIDs() #Listing Permissionsets provisioned to an account def GetPermissionSetsProvisionedToAccount(AccountID): ListOfPermissionSetsProvisionedToAccount=[] PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID) try: ListOfPermissionSetsProvisionedToAccount = PermissionSetsProvisionedToAccount['PermissionSets'] while 'NextToken' in PermissionSetsProvisionedToAccount.keys(): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID,NextToken=PermissionSetsProvisionedToAccount['NextToken']) ListOfPermissionSetsProvisionedToAccount.extend(PermissionSetsProvisionedToAccount['PermissionSets']) return(ListOfPermissionSetsProvisionedToAccount) except: return(ListOfPermissionSetsProvisionedToAccount) #To retrieve the assignment of each permissionset/user/group/account assignment def ListAccountAssignments(AccountID): PermissionSetsList=GetPermissionSetsProvisionedToAccount(AccountID) Assignments=[] for permissionSet in PermissionSetsList: AccountAssignments=ssoadminclient.list_account_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet) Assignments.extend(AccountAssignments['AccountAssignments']) while 'NextToken' in AccountAssignments.keys(): AccountAssignments=ssoadminclient.list_aaccount_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet,NextToken=AccountAssignments['NextToken']) Assignments.extend(AccountAssignments['AccountAssignments']) return(Assignments) #To list all the accounts in the organization def ListAccountsInOrganization(): AccountsList=orgsclient.list_accounts() ListOfAccounts=AccountsList['Accounts'] while 'NextToken' in AccountsList.keys(): AccountsList=orgsclient.list_accounts(NextToken=AccountsList['NextToken']) ListOfAccounts.extend(AccountsList['Accounts']) for eachAccount in ListOfAccounts: Accounts.append(str(eachAccount.get('Id'))) return(Accounts) #To translate set datatype to json class SetEncoder(json.JSONEncoder): def default(self, obj): if isinstance(obj, set): return list(obj) return json.JSONEncoder.default(self, obj) def GetListOfAssignmentsForPermissionSets(): ListOfAccountIDs=ListAccountsInOrganization() entries=[] PermissionSetListForAssignments={} for eachAccountID in ListOfAccountIDs: GetAccountAssignments=ListAccountAssignments(eachAccountID) for eachAssignment in GetAccountAssignments: if(permissionSets.get(eachAssignment.get('PermissionSetArn'))) not in PermissionSetListForAssignments.keys(): SetOfUsersandGroups={'Users':set(),'Groups':set()} PermissionSetListForAssignments[permissionSets.get(eachAssignment.get('PermissionSetArn'))]=SetOfUsersandGroups SetOfUsersandGroups=PermissionSetListForAssignments.get(permissionSets.get(eachAssignment.get('PermissionSetArn'))) if(eachAssignment.get('PrincipalType')=='GROUP'): setOfGroups=SetOfUsersandGroups.get('Groups') setOfGroups.add(groups.get(eachAssignment.get('PrincipalId'))) SetOfUsersandGroups.update({'Groups':setOfGroups}) PermissionSetListForAssignments.update({permissionSets.get(eachAssignment.get('PermissionSetArn')):SetOfUsersandGroups}) else: setOfUsers=SetOfUsersandGroups.get('Users') setOfUsers.add(users.get(eachAssignment.get('PrincipalId'))) SetOfUsersandGroups.update({'Users':setOfUsers}) PermissionSetListForAssignments.update({permissionSets.get(eachAssignment.get('PermissionSetArn')):SetOfUsersandGroups}) with open("AssignmentsForPermissionSets.json", "w") as outfile: json.dump(PermissionSetListForAssignments, outfile, cls=SetEncoder) print("Done!AssignmentsForPermissionSets.json generated successfully!") GetListOfAssignmentsForPermissionSets()**注意:**如果您收到"IndexError: list index out of range"错误,则说明脚本所在的 AWS 区域不是您配置 IAM Identity Center 的区域。
-
在终端 (macOS) 或 PowerShell (Windows) 窗口中运行 Python 脚本。
该脚本会创建一个名为 AssignmentsForPermissionSets.json 的 JSON 文件,其中包含您的权限集及其分配的主体。
输出示例:
{ "AdministratorAccess": { "Users": [ "Charlie", "Ted" ], "Groups": [ "Admins", "Developers" ] }, "PowerUserAccess": { "Users": [ "Chandler", "Joey" ], "Groups": [ "Developers", "Testers" ] }, "SystemAdministrator": { "Users": [ "Sherlock" ], "Groups": [ "DevOps" ] } }
**注意:**如果报告中没有权限集,则您没有为账户预置权限集。
生成包含账户权限集分配的报告
完成以下步骤:
-
使用 .py 扩展名保存以下 Python 脚本,例如 account_assignments_report.py:
import boto3, csv idstoreclient = boto3.client('identitystore') ssoadminclient = boto3.client('sso-admin') orgsclient= boto3.client('organizations') users={} groups={} permissionSets={} Accounts={} Instances= (ssoadminclient.list_instances()).get('Instances') InstanceARN=Instances[0].get('InstanceArn') IdentityStoreId=Instances[0].get('IdentityStoreId') #Dictionary mapping User IDs to usernames def mapUserIDs(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId) ListOfUsers=ListUsers['Users'] while 'NextToken' in ListUsers.keys(): ListUsers=idstoreclient.list_users(IdentityStoreId=IdentityStoreId,NextToken=ListUsers['NextToken']) ListOfUsers.extend(ListUsers['Users']) for eachUser in ListOfUsers: users.update({eachUser.get('UserId'):eachUser.get('UserName')}) mapUserIDs() #Dictionary mapping Group IDs to display names def mapGroupIDs(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId) ListOfGroups=ListGroups['Groups'] while 'NextToken' in ListGroups.keys(): ListGroups=idstoreclient.list_groups(IdentityStoreId=IdentityStoreId,NextToken=ListGroups['NextToken']) ListOfGroups.extend(ListGroups['Groups']) for eachGroup in ListOfGroups: groups.update({eachGroup.get('GroupId'):eachGroup.get('DisplayName')}) mapGroupIDs() #Dictionary mapping permission set ARNs to permission set names def mapPermissionSetIDs(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN) ListOfPermissionSets=ListPermissionSets['PermissionSets'] while 'NextToken' in ListPermissionSets.keys(): ListPermissionSets=ssoadminclient.list_permission_sets(InstanceArn=InstanceARN,NextToken=ListPermissionSets['NextToken']) ListOfPermissionSets.extend(ListPermissionSets['PermissionSets']) for eachPermissionSet in ListOfPermissionSets: permissionSetDescription=ssoadminclient.describe_permission_set(InstanceArn=InstanceARN,PermissionSetArn=eachPermissionSet) permissionSetDetails=permissionSetDescription.get('PermissionSet') permissionSets.update({permissionSetDetails.get('PermissionSetArn'):permissionSetDetails.get('Name')}) mapPermissionSetIDs() #Listing Permissionsets provisioned to an account def GetPermissionSetsProvisionedToAccount(AccountID): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID) ListOfPermissionSetsProvisionedToAccount = PermissionSetsProvisionedToAccount['PermissionSets'] while 'NextToken' in PermissionSetsProvisionedToAccount.keys(): PermissionSetsProvisionedToAccount=ssoadminclient.list_permission_sets_provisioned_to_account(InstanceArn=InstanceARN,AccountId=AccountID,NextToken=PermissionSetsProvisionedToAccount['NextToken']) ListOfPermissionSetsProvisionedToAccount.extend(PermissionSetsProvisionedToAccount['PermissionSets']) return(ListOfPermissionSetsProvisionedToAccount) #To retrieve the assignment of each permissionset/user/group/account assignment def ListAccountAssignments(AccountID): PermissionSetsList=GetPermissionSetsProvisionedToAccount(AccountID) Assignments=[] for permissionSet in PermissionSetsList: AccountAssignments=ssoadminclient.list_account_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet) Assignments.extend(AccountAssignments['AccountAssignments']) while 'NextToken' in AccountAssignments.keys(): AccountAssignments=ssoadminclient.list_aaccount_assignments(InstanceArn=InstanceARN,AccountId=AccountID,PermissionSetArn=permissionSet,NextToken=AccountAssignments['NextToken']) Assignments.extend(AccountAssignments['AccountAssignments']) return(Assignments) #To list all the accounts in the organization def ListAccountsInOrganization(): AccountsList=orgsclient.list_accounts() ListOfAccounts=AccountsList['Accounts'] while 'NextToken' in AccountsList.keys(): AccountsList=orgsclient.list_accounts(NextToken=AccountsList['NextToken']) ListOfAccounts.extend(AccountsList['Accounts']) for eachAccount in ListOfAccounts: Accounts.update({eachAccount.get('Id'):eachAccount.get('Name')}) return(Accounts) def WriteToExcel(): Accounts=ListAccountsInOrganization() ListOfAccountIDs=list(Accounts.keys()) entries=[] for eachAccountID in ListOfAccountIDs: try: GetAccountAssignments=ListAccountAssignments(eachAccountID) for eachAssignment in GetAccountAssignments: entry=[] entry.append(eachAssignment.get('AccountId')) entry.append(Accounts.get(eachAssignment.get('AccountId'))) entry.append(permissionSets.get(eachAssignment.get('PermissionSetArn'))) entry.append(eachAssignment.get('PrincipalType')) if(eachAssignment.get('PrincipalType')=='GROUP'): entry.append(groups.get(eachAssignment.get('PrincipalId'))) else: entry.append(users.get(eachAssignment.get('PrincipalId'))) entries.append(entry) except: continue filename = "IdentityStoreReport.csv" headers=['Account ID', 'Account Name', 'Permission Set','Principal Type', 'Principal'] with open(filename, 'w') as report: csvwriter = csv.writer(report) csvwriter.writerow(headers) csvwriter.writerows(entries) print("Done! 'IdentityStoreReport.csv' report is generated successfully!") WriteToExcel() -
在终端 (macOS) 或 PowerShell (Windows) 窗口中运行 Python 脚本。
该脚本会创建一个名为 IdentityStoreReport.csv 的 .csv 文件,其中包含您的账户分配。您的系统将 .csv 文件与权限集报告保存在同一个目录中。
.csv 文件输出示例:
| 账户 ID | 账户名称 | 权限集 | 主体类型 | 主体 |
| 123456789012 | 开发 | PowerUserAccess | GROUP | 开发人员 |
| 123456789012 | 开发 | PowerUserAccess | USER | Ross |
| 123456789012 | 开发 | AdministratorAccess | USER | Phoebe |
| 123456789012 | 开发 | SystemAdministrator | USER | Jake |
| 345678901234 | 生产 | AdministratorAccess | GROUP | 管理员 |
| 345678901234 | 生产 | AdministratorAccess | GROUP | 测试 |
| 901234567890 | 暂存 | PowerUserAccess | GROUP | 测试 |
| 901234567890 | 暂存 | AdministratorAccess | GROUP | 客户端 |
| 901234567890 | 暂存 | PowerUserAccess | USER | Gina |
| 901234567890 | 暂存 | PowerUserAccess | GROUP | 管理员 |
**注意:**如果某个账户不在报告中,则您没有为该账户预置权限集。
- 语言
- 中文 (简体)
AWS 官方已更新 3 个月前
没有评论
相关内容
- AWS 官方已更新 2 个月前
