Setup AWS Organizations With Google Suite SAML SSO

person using AWS SSO

A simplified AWS account management, with centralized billing and resource share, authenticated with G Suite identity provider

As a tech lead for Theodo, an international software development agency, I rely heavily on AWS for web project hosting. Most of my colleagues do as well, especially as more and more projects go down a serverless architecture trend. Initially, Theodo was built around Google as it’s main identity provider. All our digital tools use Google authentication (Trello, Workplace and so on). On the technical tools side, we mostly rely on our Github accounts. As far as AWS is concerned, Theodo was providing for all its developers IAM user credentials for web console access and programmatic access to a single AWS master account. This account centralized experiments, developer environments for a few applications and some production environments of our internal tools.

However, such setup has a few drawbacks :

  • Password management nightmare: when dealing with multiple credentials manually

In order to tackle those issues, I moved our teams from manual organisation setup remembering account IDs, managing many different passwords to a single page authenticated with Google, listing all the accounts they have access to. The following AWS services came in handy to operate such transition:

  • AWS Organizations to provide resource isolation by project/developer and to ease up billing understanding

This setup will provide all your employees with a unique user portal listing all AWS accounts they have access to, authenticating with their already existing Google credentials.

AWS SSO and Organization with G Suite SAML Provider

The following instructions aim to describe the required steps to setup an AWS SSO on AWS Organization accounts. It differs from a lot of available tutorials on the web when searching for aws sso google which focus on setting up SSO for a single AWS Account using AWS IAM roles with trusted SAML provider.

The main advantage of setting up SSO for an organization is to ensure resources segregation and therefore avoid contamination of a service by a developer doing some experimentation of their own. It also removes the need for company developers to create their own account on the side with their own personal billing information, or company billing information, that your financial team needs later on to consolidate.

Implementation

AWS Organizations

AWS Organizations requires one account to be used as the master account of your company. This account billing information will be use to charge all other accounts expenses within the organization.

In order to setup AWS Organizations, you need the following accesses:

  • Root access of your company’s master AWS account.

Check : When I go to https://console.aws.amazon.com/console/home, I can authenticate to my company’s master account with the Root user option.

Instructions to setup AWS Organizations

  • Go to AWS Organizations console

AWS SSO

AWS SSO setup requires AWS Organizations to be active on your AWS master account. Make sure to follow the steps above first before continuing.

In order to setup AWS SSO, you need the following accesses :

  • Root access of your company’s master AWS account (like for AWS Organizations setup)

Check : When I go to https://admin.google.com, I can see an Apps section

I. AWS SSO endpoint configuration

  • Go to AWS SSO console and enable AWS SSO

By default, AWS SSO uses an internal store for quick and easy user management. The following steps II to V will focus on implementing a SAML SSO authentication flow for your AWS Organizations.

II. G Suite SAML App initialization and metadata recovery

  • For this step, head over to https://admin.google.com, select Apps and choose SAML apps
  • Click next button.

Keep this browser tab open, we will need to complete the application setup process in step IV.

III. AWS SSO external IdP configuration with G Suite metadata and AWS metadata recovery

  • Open a new browser tab on AWS SSO console.
  • Upload the metadata.xml file you downloaded earlier from Google admin page in the IdP SAML metadata field.

IV. G Suite SAML App configuration with AWS metadata

  • Return to Google Admin tab of your browser

V. AWS SSO users provisioning

AWS SSO uses SCIM (System for Cross-domain Identity Management) to do automatic provisioning of users based on IdP information. Unfortunately, no SCIM option is exposed for G Suite IdP. This automatic provisioning method is mainly used for Azure Active Directory federated AWS SSO configuration.

Therefore, when setting up AWS SSO with G Suite accounts, you need to manually add user in AWS SSO interface. The management of user permission is also made from AWS SSO interface.

  • On your existing AWS SSO console browser tab, go to the Settings page, under Identity source, and check that Provisioning line shows Manual.
  • Go to the Users page, and click Add user
  • You can fill in remaining required field as per your likings.

VI. AWS SSO accounts and users management

  • Go to AWS accounts page, on Permission sets tab, click Create permission set
  • For the purpose of this setup, we will create a predefined Permission set with Administrator privileges. Choose Use an existing job function policy and select AdministratorAccess. The permission set system in place for AWS SSO is very similar to AWS IAM Policy management. The permission set created in AWS SSO are not available as IAM policies and vice-versa.
  • Click Create.

You can now go to the URL you configured in the first step (https://{company}.awsapps.com/start) , authenticate via google with G Suite account and be redirected to AWS SSO user portal. In this portal, listed under AWS Account, you can see each AWS Account of your AWS Organization for which your user has at least one permission set. And for each AWS Account listed, you can see a list of available permission set you can use both within the web management console and the command line.

I recommend using groups rather than individual users for AWS account used for various project. Individual user permission set attribution to AWS account shall only be used for AWS personal account with the organization (we use such account in Theodo for experimentation and training purposes).

Adding an account and user from start to finish

  • Go to AWS Organizations console, select Add account and click Create account

And just like that, you have a new fully functional AWS Account just for your employee in less than a minute, without credentials exchange. They simply needs to go to your previously setup user portal URL and see their newly created accounts.

Going further

Resources used to compile this article

Serverless Transformation

Serverless Tools, Techniques, and Case Studies