A small script to migrate or synchronize users & groups from Okta to AWS SSO
Note that this is a feature already included in some advanced/premium Okta subscription plans but not in the basic ones. If for some reason you have a basic plan but you want to sync users between Okta and AWS SSO you can use this tool.
Changelog | Version |
---|---|
Remove hardcoded values on variables and enable arguments as group_name | 0.5 |
Fixed search filtering in okta + enable dry run mode | 0.6 |
Enable iterating over a list obtained via SSM Parameter Store) | 0.7 |
Fix error iterating on check_aws_groups | 0.8 |
Improved logs + timestamps | 0.9 |
This script is intended to syncronize all or some selected users from Okta to AWS SSO based on a query filtering by group name on both APIs.
- Connect to AWS SSM to get access credentials for both APIs
- It asks to OKTA API for groups matching "okta_groups" variable (okta may show more than one match since the search is regexp based )
- Get all Group_Id's for the matching groups (if no groups matching exits)
- Then for each group found asks for all the users inside those groups
- Compare all the users (email) from Okta against AWS SSO and chekcks if the user exists or not in AWS SSO.
- If the user exists does nothing, if doesn't creates it.
- Then on a second phase asks AWS for groups matching "aws_groups" variable ( exact match )
- And search for every user in that groups
- If the user does not exists in that group creates it.
-
Get your AWS SSO Setup ready and collect the necessary values (SCIM URL's for users and groups) More info: https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html
-
Create an API token to ask AWS API.
-
Create an Okta API token
-
Save those values into an SSM (Parameter Store) [
okta_api_token
andamz_sso_api_token
] -
Put your SCIM URL's into the script
-
Save and quit
python ./sync-users.py
- Okta API when searching for groups (https://developer.okta.com/docs/reference/api/groups/) as they mention in the documentation, currently performs a startsWith match but it should be considered an implementation detail and may change without notice in the future.
To avoid more than one result I strongly sugget to use prefixes as a naming convention for the group names (I.e.:
xx_groupname
), but for now the script is being modified to do some checks and verify there's only one result. (It's a prevention measeure, of course it can be iterated on a loop if necessary)
me@crashtestdummy[~]> sync.py
>> Syncing users from Okta to AWS SSO
==========================================
>> Retrieving Group ID's from Okta.........
['xx_devops']
00g1by6snswq40ERK417 - [ xx_devops ]
>> Getting users from retrieved group ID's .........
>> Got 2 users from Okta
>> Checking AWS SSO users list.....
>> User [ [email protected] ] 93671e0715-1525f435-9359-4c9b-a2fe-13209d15cff8 already exists...
>> User [ [email protected] ] 93671e0715-08b298da-4bce-4f2e-a7b2-18433607d07f already exists...
>> Searching Groups matching: [ xx_devops ]
>> Results found: 1
>> Group ID: 93671e0715-b65a0f2f-ds7d-402d-a05c-91441697f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-91441687f9dc
>> User [ [email protected] ] already exists in group93671e0715-b65a0f2f-ce8b-a05c-a05c-914416973fdc
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK
>> User [ [email protected] ] creating user into AWS SSO .......OK
It can be also triggered from a cronjob:
14 * * * * /usr/local/bin/sync.py
- Create helm chart
- Create deploy method for Serverless
- Create AMI
No known issues right now
Tested on Linux & Mac OSX with python 3.9
WARNING: Since this software is not tested enough I would strongly suggest to run it carefully by syncing the groups from OKTA to AWS SSO one by one to test first!! this way you only can screw up one group at time :)
Since the access credentials are stored in Parameter Store (AWS SSM) on the same account where AWS SSO is, be sure to launch this script being authenticatd via CLI against the Root Account or where you're configuring the AWS SSO and AWS SSM. Otherwise the script won't be able to find the access credentials for both API's.