baton-aws is a connector for AWS built using the Baton SDK. It communicates with the AWS API to sync data about which groups and users have access to accounts, groups, and roles within an AWS org.
Check out Baton to learn more the project in general.
brew install conductorone/baton/baton conductorone/baton/baton-aws
baton-aws
baton resources
docker run --rm -v $(pwd):/out -e BATON_GLOBAL_SECRET_ACCESS_KEY=awsSecretAccessKey -e BATON_GLOBAL_ACCESS_KEY_ID=awsAccessKey ghcr.io/conductorone/baton-aws:latest -f "/out/sync.c1z"
docker run --rm -v $(pwd):/out ghcr.io/conductorone/baton:latest -f "/out/sync.c1z" resources
go install github.com/conductorone/baton/cmd/baton@main
go install github.com/conductorone/baton-aws/cmd/baton-aws@main
BATON_GLOBAL_SECRET_ACCESS_KEY=awsSecretAccessKey BATON_GLOBAL_ACCESS_KEY_ID=awsAccessKey
baton resources
baton-aws will pull down information about the following AWS resources:
- Accounts
- Groups
- Users
- Roles
Set the --global-aws-sso-enabled and --global-aws-orgs-enabled flags to pull information about the following AWS IAM Identity Center resources:
- SSO Groups
- SSO Users
By default, baton-aws uses the AWS credentials from your AWS config. You can explicitly define the region, access key, and secret key by setting the following flags: --global-secret-access-key, --global-access-key-id, --global-region.
We started Baton because we were tired of taking screenshots and manually building spreadsheets. We welcome contributions, and ideas, no matter how small -- our goal is to make identity and permissions sprawl less painful for everyone. If you have questions, problems, or ideas: Please open a Github Issue!
See CONTRIBUTING.md for more details.
baton-aws
Usage:
baton-aws [flags]
baton-aws [command]
Available Commands:
capabilities Get connector capabilities
completion Generate the autocompletion script for the specified shell
config Get the connector config schema
help Help about any command
Flags:
--client-id string The client ID used to authenticate with ConductorOne ($BATON_CLIENT_ID)
--client-secret string The client secret used to authenticate with ConductorOne ($BATON_CLIENT_SECRET)
--external-id string The external id for the aws account ($BATON_EXTERNAL_ID)
--external-resource-c1z string The path to the c1z file to sync external baton resources with ($BATON_EXTERNAL_RESOURCE_C1Z)
--external-resource-entitlement-id-filter string The entitlement that external users, groups must have access to sync external baton resources ($BATON_EXTERNAL_RESOURCE_ENTITLEMENT_ID_FILTER)
-f, --file string The path to the c1z file to sync with ($BATON_FILE) (default "sync.c1z")
--global-access-key-id string The global-access-key-id for the aws account ($BATON_GLOBAL_ACCESS_KEY_ID)
--global-aws-orgs-enabled Enable support for AWS Organizations ($BATON_GLOBAL_AWS_ORGS_ENABLED)
--global-aws-sso-enabled Enable support for AWS IAM Identity Center ($BATON_GLOBAL_AWS_SSO_ENABLED)
--global-aws-sso-region string The region for the sso identities ($BATON_GLOBAL_AWS_SSO_REGION) (default "us-east-1")
--global-binding-external-id string The global external id for the aws account ($BATON_GLOBAL_BINDING_EXTERNAL_ID)
--global-region string The region for the aws account ($BATON_GLOBAL_REGION)
--global-role-arn string The role arn for the aws account ($BATON_GLOBAL_ROLE_ARN)
--global-secret-access-key string The global-secret-access-key for the aws account ($BATON_GLOBAL_SECRET_ACCESS_KEY)
-h, --help help for baton-aws
--iam-assume-role-name string Role name for the IAM role to assume when using the AWS connector ($BATON_IAM_ASSUME_ROLE_NAME) (default "OrganizationAccountAccessRole")
--log-format string The output format for logs: json, console ($BATON_LOG_FORMAT) (default "json")
--log-level string The log level: debug, info, warn, error ($BATON_LOG_LEVEL) (default "info")
--otel-collector-endpoint string The endpoint of the OpenTelemetry collector to send observability data to (used for both tracing and logging if specific endpoints are not provided) ($BATON_OTEL_COLLECTOR_ENDPOINT)
-p, --provisioning This must be set in order for provisioning actions to be enabled ($BATON_PROVISIONING)
--role-arn string The role arn for the aws account ($BATON_ROLE_ARN)
--scim-enabled Enable support for pulling SSO User status from the AWS SCIM API ($BATON_SCIM_ENABLED)
--scim-endpoint string The SCIMv2 endpoint for aws identity center ($BATON_SCIM_ENDPOINT)
--scim-token string The SCIMv2 token for aws identity center ($BATON_SCIM_TOKEN)
--skip-full-sync This must be set to skip a full sync ($BATON_SKIP_FULL_SYNC)
--sync-resources strings The resource IDs to sync ($BATON_SYNC_RESOURCES)
--sync-secrets Whether to sync secrets or not ($BATON_SYNC_SECRETS)
--ticketing This must be set to enable ticketing support ($BATON_TICKETING)
--use-assume Enable support for assume role ($BATON_USE_ASSUME)
-v, --version version for baton-aws
Use "baton-aws [command] --help" for more information about a command.
If you'd like to run baton-aws you may use these policies for your IAM roles. The first is for syncing all objects, the second for syncing and provisioning all objects.
These policies have comments prefixed with // that need to be removed before use.
{
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
],
"Effect": "Allow",
"Resource": "*",
// The minimum permissions required for the connector to sync. This will get IAM Users, Groups, and Roles
"Sid": "MinimumRequiredPermissionsSyncIAMUsersGroupsRoles"
},
{
"Action": [
"iam:ListAccountAliases"
],
"Effect": "Allow",
"Resource": "*",
// Use account aliases instead of the account names when possible
"Sid": "UseMoreDescriptiveAccountAliases"
},
{
"Action": [
"identitystore:GetGroupMembershipId",
"identitystore:ListUsers",
"identitystore:ListGroups",
"identitystore:ListGroupMemberships",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect": "Allow",
"Resource": "*",
// Sync identity center users, groups, and permission sets, as well as the organization accounts
"Sid": "SSOUserGroupAccountAndPermissionSetSyncing"
}
],
"Version": "2012-10-17"
}{
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup"
],
"Effect": "Allow",
"Resource": "*",
// The minimum permissions required for the connector to sync. This will get IAM Users, Groups, and Roles
"Sid": "MinimumRequiredPermissionsSyncIAMUsersGroupsRoles"
},
{
"Action": [
"iam:ListAccountAliases"
],
"Effect": "Allow",
"Resource": "*",
// Use account aliases instead of the account names when possible
"Sid": "UseMoreDescriptiveAccountAliases"
},
{
"Action": [
"identitystore:GetGroupMembershipId",
"identitystore:ListUsers",
"identitystore:ListGroups",
"identitystore:ListGroupMemberships",
"organizations:ListAccounts",
"sso:DescribePermissionSet",
"sso:ListAccountAssignments",
"sso:ListInstances",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount"
],
"Effect": "Allow",
"Resource": "*",
// Sync identity center users, groups, and permission sets, as well as the organization accounts
"Sid": "SSOUserGroupAccountAndPermissionSetSyncing"
},
{
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of IAM users to Groups
"Sid": "IAMUserToGroupProvisioning"
},
{
"Action": [
"identitystore:CreateGroupMembership",
"identitystore:DeleteGroupMembership"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of Identity Store users to Groups
"Sid": "SSOUserToGroupProvisioning"
},
{
"Action": [
"sso:CreateAccountAssignment",
"sso:DeleteAccountAssignment",
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus"
],
"Effect": "Allow",
"Resource": "*",
// Enable provisioning of SSO Users directly to permission sets in accounts
"Sid": "SSOUserToAccountPermissionSetProvisioning"
}
],
"Version": "2012-10-17"
}In some occasions, the configuration of the policies or accounts may require additional permissions. These are not called directly by baton-aws, but are used by AWS to ensure some further safety, for example in situations where you are changing the root org. If you've used the above policy and are still experiencing issues provisioning, try integrating the below into your policy.
{
"Sid": "IAMListPoliciesPermissions",
"Effect": "Allow",
"Action": [
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}When not using identity center, you may need to set up the following permissions in the accounts that you are syncing, if you are using custom role flag. Each sub-account will need to have the following policy attached to the role that baton-aws will assume in that account.
{
"Statement": [
{
"Action": [
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRoles",
"iam:GetGroup",
"iam:ListAccessKeys",
"iam:GetAccessKeyLastUsed",
],
"Effect": "Allow",
"Resource": "*",
"Sid": "MinimumRequiredPermissionsSyncIAMUsersGroupsRoles"
},
],
"Version": "2012-10-17"
}