Leveraging AWS SSO (aka Identity Center) with Google Workspaces

Saturday, May 27, 2023   Chris Farris   AWS CloudSecurity Google Workspaces
Straight of Gibraltar from Tangier - December 31st, 2022 (Spain is on the right in the distance).

Setting up AWS IAM Identity Center (successor to AWS Single Sign-On), hereafter called AWS SSO (because I have to pay AWS for egress on this site), is an excellent service to help you get rid of IAM users and enforce identity best practices around second-factor authentication, on and off-boarding employees, and assigning the right level of access depending on job function.

Companies using Google Workspaces for email and collaboration can also leverage their Google accounts to access AWS via AWS SSO. The process isn’t clearly documented, and the provisioning support isn’t integrated, so here is a post to help you set it all up.

Prerequisites

We assume you already signed up for Google Workspaces or configured Google for Cloud Identity. The person performing this must be a SuperAdmin and have access to admin.google.com. This post also assumes you’ve set up AWS SSO.

Note: If you have existing users and groups in the AWS SSO built-in identity store, they most likely will be deleted if they do not match existing groups in Google Workspace.

What about Second Note: Throughout this document, I refer to Google Workspace users, but users do not need a Workspace license. Google Cloud Identity users work the same as Workspace users.

Setting it all up

This mostly follows the process outlined by AWS in their blog post How to use Google Workspace as an external identity provider for AWS IAM Identity Center. And kudos to AWS and the team for keeping this blog post up-to-date.

Go ahead and open three browser windows/tabs. One with this post, one for the AWS Console, and one for the Google Admin page.

Start Configuring the AWS SSO Identity Store

Make sure you’re doing this as an IAM User, or you might get locked out of your AWS account

  1. Navigate to AWS SSO in the console
  2. Click on Settings
  3. Under Identity Source, click on the Actions drop-down and select “change identity source”.
    AWS SSO Console
  4. Select “External identity provider” and click Next
    AWS SSO Console

Create the SAML Application in Google

  1. In the Google admin page, click “Add App” and select “Add custom SAML App”
    Google Admin Add App

  2. Give the app a Name and Description
    Google Admin Add App

  3. Download the Metadata (you’ll need it in a minute), and click Continue.

  4. Copy the “IAM Identity Center Assertion Consumer Service (ACS) URL” from the AWS SSO Console to the “ACS URL” in Google

  5. Copy the “IAM Identity Center issuer URL” from the AWS SSO Console to the “Entity ID” in Google

  6. Make sure “Name ID format” is “EMAIL”, and click continue
    Google Admin Add App

  7. Leave Attributes at the default and click Finish

  8. Expand the User Access section and make sure that the “service status” is On for Everyone.
    Google Admin Add App Google Admin Add App

Finish the AWS SSO Setup

  1. Upload the file GoogleIDPMetadata.xml as the Identity provider metadata in AWS SSO
    AWS SSO Console
  2. Click Next, enter “ACCEPT”, and click “Change identity source.”

Automatic User Provisioning

You can stop at this point and manage users and groups manually. If you create a user in AWS SSO where the username matches the email address of a Google Workspace user, the user will be redirected to Google for Authentication.

If you want to manage all users and groups via Google exclusively, you need to configure SCIM provisioning. Google doesn’t support this natively, so AWS created an open-source tool in Go you can use. It’s available in the Serverless Application Repo for a version that will deploy to Lambda and run on a regular schedule.

Setup Google Project for access to Google Admin SDK

  1. Go to the Google Cloud Console
  2. Create a new project called AWS SSO
    GCP Console GCP Console
  3. Make sure the new project is selected and then enable the Admin SDK API
    GCP Console GCP Console GCP Console
  4. Now, we need to create a Service Account. Navigate to the IAM -> Service Accounts Page
    GCP Console
  5. Click “Create Service Account”
    GCP Console
  6. Fill in the details and click “Create and Continue”
    GCP Console
  7. Now select the user that was just created. Click “Keys” at the top to create new service credentials.
  8. Then click “Create New Key”, and select a key type of JSON
    GCP Console
  9. This will trigger a file to download with the Google Credentials. The contents look like this:
{
  "type": "service_account",
  "project_id": "fooli-aws-sso",
  "private_key_id": "84d26fb60c.....",
  "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED==\n-----END PRIVATE KEY-----\n",
  "client_email": "aws-sso-sync@fooli-aws-sso.iam.gserviceaccount.com",
  "client_id": "11643.......",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/aws-sso-sync%40fooli-aws-sso.iam.gserviceaccount.com",
  "universe_domain": "googleapis.com"
}
  1. Configure Domain-wide Delegation for the Admin SDK
    1. Copy the Client Id
    2. Open the Google Workspace Admin Console
      GCP Console
    3. Navigate to Security > Access and data control > API controls
    4. Click Manage Domain Wide Delegation at the bottom
      GCP Console
    5. Click Add New at the top, then enter the client Id from Step 1 and the following for the OAuth Scopes:
    https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.group.member.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly
    GCP Console

Begin Setup of AWS SSO Provisioning

  1. Enable Automatic Provisioning
    AWS SSO Console
  2. Copy the SCIM Endpoint and Access Token
    AWS SSO Console
  3. Copy the Identity Store ID (see above)

Now we’re ready to deploy the SAR Application

  1. Go to the SSO Sync deployment page

  2. Under Application Settings, enter the following:

    1. Your email address for GoogleAdminEmail
    2. GoogleCredentials is the entirety of the JSON file from step 9
    3. IdentityStoreID from step 11.3 (it begins with d-)
    4. Region should be us-east-1
    5. SCIMEndpointAccessToken is the token from 11.2
    6. SCIMEndpointUrl is the SCIM Endpoint from 11.2
    7. For GoogleGroupMatch enter name:AWS* - this will sync all Google Groups that begin with AWS.
    8. GoogleUserMatch is name:*
    9. IgnoreGroups is NoSuchGroup (SAR requires a value here)
    10. IgnoreUsers is NoSuchUser (SAR requires a value here)
    11. IncludeGroups is Ignored (SAR requires a value here)
    12. Make sure SyncMethod is groups
      AWS SAR Deploy
    13. Click “I acknowledge that this app creates custom IAM roles.” and then Deploy

  3. Test the sync

    1. Navigate to the Lambda Console
    2. Find the function that begins with serverlessrepo-SSOSync-SSOSyncFunction
    3. Click the Test tab and then the Orange Test button.
      AWS Lambda Test

Configure Access for users in Google Workspace

  1. Create Groups for access to different accounts. Make sure they begin with AWS
  2. Add users to these groups.
  3. Re-Run the Sync Lambda like above.
  4. Now you can add the Users or Groups to AWS accounts by way of Permission Sets