Skip to content

Support cross-account IAM role assumption for Identity Store APIs#2

Open
Dakad wants to merge 17 commits into
mainfrom
fix/gh-295_support-cross-account-IAM-role
Open

Support cross-account IAM role assumption for Identity Store APIs#2
Dakad wants to merge 17 commits into
mainfrom
fix/gh-295_support-cross-account-IAM-role

Conversation

@Dakad
Copy link
Copy Markdown

@Dakad Dakad commented Apr 17, 2026
edited
Loading

What does this PR do?

Adds first-class support for assuming an IAM role before making IAM Identity Center Identity Store API calls.

Today ssosync loads AWS credentials from the standard SDK v2 default credential chain and uses them directly for Identity Store operations. This change keeps that behavior by default, and adds an optional assume-role-arn configuration path so ssosync can run outside the delegated admin or management account while still using the correct target-account permissions.

The implementation is intentionally narrow:

  • adds --assume-role-arn
  • adds SSOSYNC_ASSUME_ROLE_ARN
  • loads the normal AWS SDK config first
  • when configured, uses STS AssumeRole with session name ssosync
  • builds the Identity Store client from the assumed-role credentials
  • leaves SCIM endpoint/token behavior unchanged
  • preserves CLI, Lambda, and dry-run flows

Associated ticket number and/or AirBrake error?

Related upstream issue: awslabs/ssosync#295
Same PR on https://github.com/awslabs/ssosync/pull/308

Due Date or Desirable Merge

No hard deadline. This is a focused upstream feature addition to unblock cross-account deployments.

How has this been tested?

  • Added config parsing coverage for the new flag/env var
  • Added unit tests for the assume-role config path using a fake STS client
  • Verified the relevant command/config tests locally

Anticipated impact

Low-risk, opt-in behavior change.

When assume-role-arn is not set, behavior stays the same as today. When it is set, Identity Store API calls use the assumed role credentials instead of the base credential chain.

How do you plan to monitor the change in prod to make sure it's working?

  • Watch ssosync logs for the initial Identity Store connectivity check
  • Confirm sync operations succeed from environments outside the delegated admin account
  • If misconfigured, the expected failure mode is an STS assume-role or Identity Store permission error during startup

Checklist

  • My code follows the code style of this project.
  • I have run tests locally (manual tests and otherwise).
  • This has been tested on staging.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly

@Dakad Dakad self-assigned this Apr 17, 2026
@Dakad Dakad force-pushed the fix/gh-295_support-cross-account-IAM-role branch 2 times, most recently from 876245c to 381e3e5 Compare April 17, 2026 13:15
@Dakad Dakad changed the title Add support for Identity Store assume role Support cross-account IAM role assumption for Identity Store APIs Apr 17, 2026
@Dakad Dakad marked this pull request as draft April 17, 2026 13:26
@Dakad Dakad force-pushed the fix/gh-295_support-cross-account-IAM-role branch from 381e3e5 to 87d6b8d Compare April 17, 2026 14:26
@Dakad Dakad marked this pull request as ready for review April 17, 2026 14:38
dependabot Bot and others added 16 commits April 27, 2026 09:56
@dependabot @ChrisPates
Bump go.opentelemetry.io/otel from 1.39.0 to 1.41.0
28f19a0 
Bumps [go.opentelemetry.io/otel](https://github.com/open-telemetry/opentelemetry-go) from 1.39.0 to 1.41.0.
- [Release notes](https://github.com/open-telemetry/opentelemetry-go/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-go@v1.39.0...v1.41.0)

---
updated-dependencies:
- dependency-name: go.opentelemetry.io/otel
  dependency-version: 1.41.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@ChrisPates
309 precache field regex does not all for disabled (awslabs#312)
52f5f79 
* Edit the regex for the CloudFormation template for the PRECACHE_ORG_UNITS, to allow for a single OU path other than '/'
* Updated handling of this environment variable so, if specified but and empty string or not set it disables precaching.
* Updated handling of other optional comma separated string env_variables to have the same way.
@ChrisPates
Update template.yaml
cc0c9e1
@ChrisPates
Update template.yaml
53518d6
@ChrisPates
309 precache field regex does not all for disabled (awslabs#312)
c6b623d 
* Edit the regex for the CloudFormation template for the PRECACHE_ORG_UNITS, to allow for a single OU path other than '/'
* Updated handling of this environment variable so, if specified but and empty string or not set it disables precaching.
* Updated handling of other optional comma separated string env_variables to have the same way.
@ChrisPates
Merge branch 'master' of https://github.com/awslabs/ssosync
b7f823c
@ChrisPates
Force BugFix Release
ce5d9d3
@ChrisPates
Merge branch 'master' of https://github.com/awslabs/ssosync
177a3fa
@ChrisPates
Update Pipeline to type: V2
77bab77
@ChrisPates
Configurable LogRetention and QuickStart, plus bugfixes (awslabs#316)
ddafd84 
Included in this change:

Parameter PrecacheOrgUnits : When left empty will disable the pre-caching of both Groups and Users
Parameter LogRetention : Added, config CloudWatch Log Group retention period, previously it defaulted to Indefinitely this default has been retain however, it is strongly recommended a more frugal option is selected.
Parameter ScheduleExpression : When left empty will disable scheduling of the SSOSync lambda function. The default for this is unchanged Rate(15 minutes), where the lambda is being triggered by an external event or as part of CICD pipeline (such ac CodePipeline), this prevent concurrency limits being encountered.
The Parameters page has also been re-grouped to be more intuitive.
Quick Start templates:

Added a simple template that can launched directly from CloudFormation, this can simply be launched from the repo. Currently, template creates a deployment in a single account with two nested stacks one for the secrets and the other for the lambda function. To update the deployment, download the latest version of the template and update the stack.

* implement disabled schedule
* Apply disable PreCache to Groups
* Improve logging for precache activity
* Remove Explicit RoleName
* Added Log Retention Setting.
* Tidy Up the Parameters page
* Add QuickStart
* Add job to update version strings in quickstart on release
@ChrisPates
fixes
eba2b14
@ChrisPates
Update README.md
6f271e1
@ChrisPates
Investigating Change in non-Delegated behavior
561a1c6
@ChrisPates
Revert "Investigating Change in non-Delegated behavior"
2a5dc86 
This reverts commit 561a1c6.
@ChrisPates
Update sync.go
93f385a
@Dakad
Merge branch 'master' into fix/gh-295_support-cross-account-IAM-role
4057da5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Dakad Dakad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dakad @ChrisPates