Note: This repository is still in an early stage of development. At this point, no contributions are accepted to the project yet.
This Raito CLI plugin is used to synchronize the identity store information of an AWS organization (IAM Identity Center). This identity store can then be linked to AWS Account data sources (or set as Master Identity Store) so that permission sets can be visualized correctly.
To use this plugin, you will need
- The Raito CLI to be correctly installed. You can check out our documentation for help on this.
- A Raito Cloud account to synchronize your AWS organization with. If you don't have this yet, visit our webpage at (https://www.raito.io/trial) and request a trial account.
- Access to your AWS environment. Minimal required permissions still need to be defined. Right now we assume that you're set up with one of the default authentication options: https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviderChain.
A full example on how to start using Raito Cloud with Snowflake can be found as a guide in our documentation.
To use the plugin, add the following snippet to your Raito CLI configuration file (raito.yml
, by default) under the targets
section:
- name: aws-account
connector-name: raito-io/cli-plugin-aws-organization
identity-store-id: "{{IDENTITYSTORE_ID}}"
aws-account-id: "{{AWS_ACCOUNT_ID}}"
Next, replace the values of the indicated fields with your specific values, or use environment variables:
identity-store-id
: The ID of the Identity Store you created in Raito Cloud.aws-profile
(optional): The AWS SDK profile to use for connecting to your AWS account that managed the organization to synchronize. When not specified, the default profile is used (or what is defined in the AWS_PROFILE environment variable).aws-region
(optional): The AWS region to use for connecting to the AWS account to synchronize. When not specified, the default region as found by the AWS SDK is used.
You will also need to configure the Raito CLI further to connect to your Raito Cloud account, if that's not set up yet. A full guide on how to configure the Raito CLI can be found on (http://docs.raito.io/docs/cli/configuration).
As a first step, you can check if the CLI finds this plugin correctly. In a command-line terminal, execute the following command:
$> raito info raito-io/cli-plugin-aws-organization
This will download the latest version of the plugin (if you don't have it yet) and output the name and version of the plugin, together with all the plugin-specific parameters to configure it.
When you are ready to try out the synchronization for the first time, execute:
$> raito run
This will take the configuration from the raito.yml
file (in the current working directory) and start a single synchronization.
Note: if you have multiple targets configured in your configuration file, you can run only this target by adding --only-targets aws-account
at the end of the command.
To authenticate the AWS plugin, the AWS default provider chain will be used:
- Environment variables: The environment variables
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, andAWS_SESSION_TOKEN
are used. - Shared credentials file. Credentials defined on
~/.aws/credentials
will be used. A profile can be defined withaws-region
. - If running on an Amazon EC2 instance, IAM role for Amazon EC2.
More information can be found on the AWS SDK documentation.