Last active
August 16, 2023 16:10
-
-
Save chancez/ddf9ba826d7a48d121eec0fbf409b62d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| if [ $# -lt 1 ]; then | |
| echo "Usage: $0 sso-instance-arn" | |
| exit 1 | |
| fi | |
| # set -e | |
| # set -o pipefail | |
| SSO_INSTANCE_ARN="$1" | |
| export SSO_INSTANCE_ARN | |
| IDENTITY_STORE_ID="$(\ | |
| aws sso-admin list-instances --output json \ | |
| | jq -rc '.Instances | map(select(.InstanceArn==env["SSO_INSTANCE_ARN"])) | .[0].IdentityStoreId' \ | |
| )" | |
| export IDENTITY_STORE_ID | |
| IFS=$'\n' read -r -d '' -a PERMISSION_SETS < <( aws sso-admin list-permission-sets --instance-arn "$SSO_INSTANCE_ARN" --output json | jq -rc '.PermissionSets[]' && printf '\0' ) | |
| RESULTS=() | |
| for PERMISSION_SET_ARN in "${PERMISSION_SETS[@]}"; do | |
| export PERMISSION_SET_ARN | |
| ACCOUNTS_JSON="$(\ | |
| aws sso-admin list-accounts-for-provisioned-permission-set \ | |
| --instance-arn "$SSO_INSTANCE_ARN" \ | |
| --permission-set-arn "$PERMISSION_SET_ARN" \ | |
| --output json \ | |
| )" | |
| IFS=$'\n' read -r -d '' -a ACCOUNT_IDS < <( echo "$ACCOUNTS_JSON" | jq -rc '.AccountIds[]' ) | |
| PERMISSION_SET_NAME="$(aws sso-admin describe-permission-set \ | |
| --instance-arn "$SSO_INSTANCE_ARN" \ | |
| --permission-set-arn "$PERMISSION_SET_ARN" \ | |
| --output json \ | |
| | jq -rc '.PermissionSet.Name' | |
| )" | |
| export PERMISSION_SET_NAME | |
| for ACCOUNT_ID in "${ACCOUNT_IDS[@]}"; do | |
| ACCOUNT_NAME="$(aws organizations describe-account --account-id "$ACCOUNT_ID" --output json | jq -rc '.Account.Name')" | |
| export ACCOUNT_ID | |
| export ACCOUNT_NAME | |
| ASSIGNMENTS_JSON="$( | |
| aws sso-admin list-account-assignments \ | |
| --instance-arn "$SSO_INSTANCE_ARN" \ | |
| --permission-set-arn "$PERMISSION_SET_ARN" \ | |
| --account-id "$ACCOUNT_ID" \ | |
| --output json \ | |
| )" | |
| IFS=$'\n' read -r -d '' -a ASSIGNMENT_OBJS < <( echo "$ASSIGNMENTS_JSON" | jq -rc '.AccountAssignments[]' ) | |
| for ASSIGNMENT_OBJ in "${ASSIGNMENT_OBJS[@]}"; do | |
| PRINCIPAL_ID="$(echo "$ASSIGNMENT_OBJ" | jq -rc '.PrincipalId')" | |
| PRINCIPAL_TYPE="$(echo "$ASSIGNMENT_OBJ" | jq -rc '.PrincipalType')" | |
| GROUP_OBJ='{}' | |
| USER_OBJ='{}' | |
| export PRINCIPAL_ID PRINCIPAL_TYPE GROUP_OBJ USER_OBJ | |
| if [ "$PRINCIPAL_TYPE" == "GROUP" ]; then | |
| GROUP_OBJ="$(\ | |
| aws identitystore describe-group \ | |
| --identity-store-id "$IDENTITY_STORE_ID" \ | |
| --group-id "$PRINCIPAL_ID" \ | |
| --output json \ | |
| | jq -rc '{GroupName: .DisplayName}' \ | |
| )" | |
| elif [ "$PRINCIPAL_TYPE" == "USER" ]; then | |
| USER_OBJ="$(\ | |
| aws identitystore describe-user \ | |
| --identity-store-id "$IDENTITY_STORE_ID" \ | |
| --user-id "$PRINCIPAL_ID" \ | |
| --output json \ | |
| | jq -rc '{UserName: .UserName}' \ | |
| )" | |
| fi | |
| RESULT="$(jq -nrc \ | |
| --argjson user "$USER_OBJ" \ | |
| --argjson group "$GROUP_OBJ" \ | |
| '{ | |
| PrincipalID: env["PRINCIPAL_ID"], | |
| PrincipalType: env["PRINCIPAL_TYPE"], | |
| AccountName: env["ACCOUNT_NAME"], | |
| AccountID: env["ACCOUNT_ID"], | |
| TargetType: "AWS_ACCOUNT", | |
| PermissionSetArn: env["PERMISSION_SET_ARN"], | |
| PermissionSetName: env["PERMISSION_SET_NAME"], | |
| SSOInstanceArn: env["SSO_INSTANCE_ARN"], | |
| } * $user * $group')" | |
| RESULTS+=( "$RESULT" ) | |
| echo "$RESULT" | |
| done | |
| done | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment