Created
June 25, 2025 01:09
-
-
Save filipeandre/df90f05ee9eb93adc9671eee20bd7335 to your computer and use it in GitHub Desktop.
Python script to automate the external AWS account setup for IAM Identity Center SAML federation, granting AdministratorAcces
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import boto3 | |
| import json | |
| # --- CONFIGURATION --- | |
| SAML_PROVIDER_NAME = "IAMIdentityCenterProvider" # must already exist | |
| ROLE_NAME = "SAMLAdminAccessRole" | |
| POLICY_NAME = "SAMLAdministratorAccessPolicy" | |
| POLICY_DESCRIPTION = "Full admin access for SAML federated users" | |
| USE_MANAGED_ADMIN_POLICY = True # set False to use a custom inline policy | |
| # --- AWS CLIENT SETUP --- | |
| iam = boto3.client("iam") | |
| sts = boto3.client("sts") | |
| account_id = sts.get_caller_identity()["Account"] | |
| def get_saml_provider_arn(): | |
| return f"arn:aws:iam::{account_id}:saml-provider/{SAML_PROVIDER_NAME}" | |
| def create_policy(): | |
| if USE_MANAGED_ADMIN_POLICY: | |
| print("Using AWS managed policy: AdministratorAccess") | |
| return "arn:aws:iam::aws:policy/AdministratorAccess" | |
| # Define a custom policy if needed | |
| policy_doc = { | |
| "Version": "2012-10-17", | |
| "Statement": [{ | |
| "Effect": "Allow", | |
| "Action": "*", | |
| "Resource": "*" | |
| }] | |
| } | |
| try: | |
| response = iam.create_policy( | |
| PolicyName=POLICY_NAME, | |
| PolicyDocument=json.dumps(policy_doc), | |
| Description=POLICY_DESCRIPTION | |
| ) | |
| print(f"Custom policy created: {response['Policy']['Arn']}") | |
| return response['Policy']['Arn'] | |
| except iam.exceptions.EntityAlreadyExistsException: | |
| print("Policy already exists, retrieving ARN...") | |
| response = iam.get_policy(PolicyArn=f"arn:aws:iam::{account_id}:policy/{POLICY_NAME}") | |
| return response['Policy']['Arn'] | |
| def create_role(saml_provider_arn, policy_arn): | |
| assume_role_policy = { | |
| "Version": "2012-10-17", | |
| "Statement": [{ | |
| "Effect": "Allow", | |
| "Principal": {"Federated": saml_provider_arn}, | |
| "Action": "sts:AssumeRoleWithSAML", | |
| "Condition": { | |
| "StringEquals": { | |
| "SAML:aud": "https://signin.aws.amazon.com/saml" | |
| } | |
| } | |
| }] | |
| } | |
| try: | |
| response = iam.create_role( | |
| RoleName=ROLE_NAME, | |
| AssumeRolePolicyDocument=json.dumps(assume_role_policy), | |
| Description="SAML federated access role" | |
| ) | |
| print(f"Role created: {response['Role']['Arn']}") | |
| except iam.exceptions.EntityAlreadyExistsException: | |
| print(f"Role '{ROLE_NAME}' already exists.") | |
| try: | |
| iam.attach_role_policy( | |
| RoleName=ROLE_NAME, | |
| PolicyArn=policy_arn | |
| ) | |
| print("Policy attached to role.") | |
| except Exception as e: | |
| print(f"Failed to attach policy: {e}") | |
| def output_attribute_mappings(account_id): | |
| print("\n🔐 Use the following for IAM Identity Center → Application → Attribute Mappings:") | |
| print("----------------------------------------------------------") | |
| print("Field: https://aws.amazon.com/SAML/Attributes/Role") | |
| print(f"Value: arn:aws:iam::{account_id}:saml-provider/{SAML_PROVIDER_NAME},arn:aws:iam::{account_id}:role/{ROLE_NAME}") | |
| print("Format: unspecified\n") | |
| print("Field: https://aws.amazon.com/SAML/Attributes/RoleSessionName") | |
| print("Value: ${user:email}") | |
| print("Format: unspecified") | |
| print("----------------------------------------------------------") | |
| # --- MAIN EXECUTION --- | |
| if __name__ == "__main__": | |
| saml_provider_arn = get_saml_provider_arn() | |
| policy_arn = create_policy() | |
| create_role(saml_provider_arn, policy_arn) | |
| output_attribute_mappings(account_id) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment