Single Sign-On for AI Development Teams using AWS SSO

Question

Pulumi · Accepted Answer

Single Sign-On (SSO) is a user authentication service that allows a user to use one set of login credentials to access multiple applications. AWS SSO simplifies the management of SSO access and user permissions to all of your AWS accounts and cloud applications. It's particularly useful for teams like AI development teams that might need access to various AWS resources with different permission levels.

To set up Single Sign-On for your AI Development Teams using AWS with Pulumi, we will be using two main resources from the AWS Pulumi provider:

1. `aws.ssoadmin.AccountAssignment`: This resource assigns access to AWS accounts through AWS SSO.
2. `aws.ssoadmin.PermissionSet`: This resource manages an SSO permission set within AWS SSO.

By combining these resources, we can create a permission set defining the permissions that the users or groups will have, and assign that permission set to the specific AWS accounts and users or groups in your organization.

Below is the Pulumi program written in Python which would help you set up the initial SSO configuration. This program assumes that you have already created an AWS SSO instance and have an AWS Organization set up along with necessary permission sets.

```python
import pulumi
import pulumi_aws as aws

# Replace these variables with your actual directory ID, user/group ID, permission set ARN and AWS account ID.
instance_arn = "arn:aws:sso:::instance/ssoins-EXAMPLE"
directory_id = "d-EXAMPLE12345"
user_id = "user-EXAMPLE12345"
group_id = "group-EXAMPLE12345"
permission_set_arn = "arn:aws:sso:::permissionSet/ssoins-EXAMPLE/ps-EXAMPLE12345"
account_id = "123456789012"

# Define an AWS SSO Account Assignment for a user.
user_account_assignment = aws.ssoadmin.AccountAssignment("userAccountAssignment",
    instance_arn=instance_arn,
    target_id=account_id,
    target_type="AWS_ACCOUNT",
    principal_id=user_id,
    principal_type="USER",
    permission_set_arn=permission_set_arn)

# Define an AWS SSO Account Assignment for a group.
group_account_assignment = aws.ssoadmin.AccountAssignment("groupAccountAssignment",
    instance_arn=instance_arn,
    target_id=account_id,
    target_type="AWS_ACCOUNT",
    principal_id=group_id,
    principal_type="GROUP",
    permission_set_arn=permission_set_arn)

# (Optional) If you need to create a permission set, you can uncomment and use the following lines:
# permission_set = aws.ssoadmin.PermissionSet("permissionSet",
#     instance_arn=instance_arn,
#     name="AI_DevTeam_PermissionSet",        # Set a name for the permission set
#     # Define permissions here.
#     # Describe permission policies inline or attach managed policies
# )

pulumi.export("userAccountAssignmentId", user_account_assignment.id)
pulumi.export("groupAccountAssignmentId", group_account_assignment.id)
# pulumi.export("aiDevTeamPermissionSetArn", permission_set.id)
```

Here's what we are doing in this program:

- We're declaring two account assignments using the `aws.ssoadmin.AccountAssignment` resource. One is for a user and the other for a group. You will need to replace `instance_arn`, `target_id`, `principal_id`, and `permission_set_arn` with the actual values that correspond to your AWS SSO instance, account, user or group, and permission set ARN.
- The `instance_arn` is your SSO instance ARN which can be found in the AWS SSO console.
- The `target_id` is the account ID where you're assigning the access. This can be the AWS account ID.
- The `principal_id` is the ID of the user or group in your directory service that will receive the assignment.
- The `permission_set_arn` is the ARN of permission set that defines what the assigned user or group can access.
- Optionally, the commented-out `aws.ssoadmin.PermissionSet` resource is to demonstrate how you might create a permission set if one does not already exist.
- In the last lines, we are exporting unique identifiers for these account assignments, which can be useful when you need to programmatically reference these resources later on.

Make sure you have your AWS credentials and Pulumi environment properly set up before deploying this program. When you've prepared your configuration and modified the code with your own details, use `pulumi up` to create the resources in your AWS environment.