ã“ã‚“ã«ã¡ã¯ã€‚AWS CLIãŒå¥½ããªç¦å³¶ã§ã™ã€‚
今回ã¯ã€AWS SSO関連ã®æƒ…å ±ã‚’å–å¾—ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã‚’ã”紹介ã„ãŸã—ã¾ã™ã€‚
å‰å›žã®ãƒ–ãƒã‚°ã§æ¬¡å›žã¯ã€IAM権é™ã«ã¤ã„ã¦ã€ã”紹介ã™ã‚‹ã¨è¨˜è¼‰ã—ãŸã®ã§ã™ãŒã€ ã¡ã‚‡ã£ã¨å¯„ã‚Šé“ã‚’ã—ã¦ã€AWS SSO関連ã®æƒ…å ±å–å¾—ã‚’å…ˆã«ã”紹介ã„ãŸã—ã¾ã™ã€‚
- AWS SSOã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ARNã®ç¢ºèª
- アクセス権é™ã‚»ãƒƒãƒˆã®ç¢ºèª
- アクセス権é™ã‚»ãƒƒãƒˆã®åŸºæœ¬æƒ…å ±
- アクセス権é™ã‚»ãƒƒãƒˆã«ç´ã¥ãマãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
- アクセス権é™ã‚»ãƒƒãƒˆã®ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼
- アクセス権é™ã‚»ãƒƒãƒˆãŒç´ã¥ã„ã¦ã„るアカウント一覧
- アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆ
- 全アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆã®è¡¨ç¤º1
- 全アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆã®è¡¨ç¤º2
- 全アクセス権é™ã‚»ãƒƒãƒˆã®è©³ç´°
- ãŠã‚ã‚Šã«
å…ˆã«è¨˜è¼‰ã—ã¦ãŠãã¨ã€
- 全アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆã®è¡¨ç¤º
- 全アクセス権é™ã‚»ãƒƒãƒˆã®è©³ç´°
ãŒä¸€ç•ªä½¿ãˆã‚‹ã¨æ€ã„ã¾ã™ã€‚
AWS SSOã®ã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ARNã®ç¢ºèª
インスタンスã®ARNã¯ã€ä»Šå¾Œç´¹ä»‹ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã§çµæ§‹ä½¿ã„ã¾ã™ã€‚
コマンド
aws sso-admin list-instances
- 実行çµæžœ
{
"Instances": [
{
"InstanceArn": "arn:aws:sso:::instance/ssoins-7758faff83b26bbb",
"IdentityStoreId": "d-9567180725"
}
]
}
アクセス権é™ã‚»ãƒƒãƒˆã®ç¢ºèª
インスタンスã®ARNを利用ã—ã¾ã™ãŒã€ã‚³ãƒžãƒ³ãƒ‰ã§è‡ªå‹•ã§å–å¾—ã™ã‚‹ã‚ˆã†ã«ã—ã¦ã¾ã™ã®ã§ã€ã‚³ãƒ”ペã§OKã§ã™ã€‚
コマンド
aws sso-admin list-permission-sets \ --instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text)
- 実行çµæžœ
{
"PermissionSets": [
"arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82a2d3c9ca6398a4",
"arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82c9d5e2c3d089ec"
]
}
アクセス権é™ã‚»ãƒƒãƒˆã®åŸºæœ¬æƒ…å ±
コマンド
PERMISSION="" ★PermissionSetsã®Arnを入力ã—ã¾ã™ã€‚
aws sso-admin describe-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${PERMISSION}
- 実行çµæžœ
{
"PermissionSet": {
"Name": "AdministratorAccess",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82a2d3c9ca6398a4",
"CreatedDate": "2020-10-09T09:53:33.521000+09:00",
"SessionDuration": "PT1H"
}
}
アクセス権é™ã‚»ãƒƒãƒˆã«ç´ã¥ãマãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
コマンド
PERMISSION="" ★PermissionSetsã®Arnを入力ã—ã¾ã™ã€‚
aws sso-admin list-managed-policies-in-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${PERMISSION}
- 実行çµæžœ
{
"AttachedManagedPolicies": [
{
"Name": "AdministratorAccess",
"Arn": "arn:aws:iam::aws:policy/AdministratorAccess"
}
]
}
アクセス権é™ã‚»ãƒƒãƒˆã®ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼
コマンド
PERMISSION="" ★PermissionSetsã®Arnを入力ã—ã¾ã™ã€‚
aws sso-admin get-inline-policy-for-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${PERMISSION}
- 実行çµæžœ
{
"InlinePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"*\",\"Resource\":\"*\"}]}"
}
インラインãƒãƒªã‚·ãƒ¼ã®è¡¨ç¤ºãŒæ”¹è¡ŒãŒã•ã‚Œã¦ã„ãªã„ãŸã‚ã€å°‘ã—分ã‹ã‚Šã¥ã‚‰ã„ã§ã™ã。 ã¨ã„ã†ã“ã¨ã§æ”¹è¡Œã„ã‚Œã¦ã€å°‘ã—分ã‹ã‚Šã‚„ã™ãã—ã¦ã¿ã¾ã—ãŸã€‚
コマンド(ã¡ã‚‡ã£ã¨åˆ†ã‹ã‚Šã‚„ã™ã)
PERMISSION="" ★PermissionSetsã®Arnを入力ã—ã¾ã™ã€‚
aws sso-admin get-inline-policy-for-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${PERMISSION} \
--output text | sed -e 's/,/,\n/g' -e 's/{/\n{\n/g' -e 's/\[/\n\[/g' -e 's/\}/\n\}/g' -e 's/\]/\n\]/g' | sed '1d'
- 実行çµæžœ
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
アクセス権é™ã‚»ãƒƒãƒˆãŒç´ã¥ã„ã¦ã„るアカウント一覧
コマンド
PERMISSION="" ★PermissionSetsã®Arnを入力ã—ã¾ã™ã€‚
aws sso-admin list-accounts-for-provisioned-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${PERMISSION}
- 実行çµæžœ
{
"AccountIds": [
"xxxxxxxxxxxx",
"xxxxxxxxxxxx",
"xxxxxxxxxxxx"
]
}
アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆ
コマンド
ACCOUNTID="" ★アカウントIDを入力ã—ã¾ã™ã€‚
aws sso-admin list-permission-sets-provisioned-to-account \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--account-id ${ACCOUNTID}
- 実行çµæžœ
{
"PermissionSets": [
"arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82a2d3c9ca6398a4"
]
}
全アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆã®è¡¨ç¤º1
â€»ã‚¢ã‚«ã‚¦ãƒ³ãƒˆæƒ…å ±ã¯ã€organizationsコマンドã§å–å¾—ã—ã¦ã„ã¾ã™ã€‚
 アカウント数分ã€ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã™ã‚‹ãŸã‚ã€çµæ§‹æ™‚é–“ãŒã‹ã‹ã‚Šã¾ã™ã€‚
コマンド
INSTNACE_ARN=$(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text);\
aws organizations list-accounts --query "Accounts[].Id" --output text | tr "\t" "\n" | sort | while read line
do
echo ${line} > /tmp/awscli.tmp
for permission in $(aws sso-admin list-permission-sets-provisioned-to-account --instance-arn ${INSTNACE_ARN} --account-id ${line} --query "PermissionSets" --output text)
do
if [[ ${permission} == None ]] ; then
echo "アクセス権é™ã‚»ãƒƒãƒˆãªã—" >> /tmp/awscli.tmp
else
aws sso-admin describe-permission-set \
--instance-arn ${INSTNACE_ARN} \
--permission-set-arn ${permission} \
--query "PermissionSet.[Name]" --output text >> /tmp/awscli.tmp
fi
done
(head -n +1 /tmp/awscli.tmp && tail -n +2 /tmp/awscli.tmp | sort) | tr "\n" " "
echo ""
done;\
rm /tmp/awscli.tmp
- 実行çµæžœ
xxxxxxxxxxxx AdministratorAccess Billing xxxxxxxxxxxx AdministratorAccess
全アカウントã«ç´ã¥ãアクセス権é™ã‚»ãƒƒãƒˆã®è¡¨ç¤º2
â€»ã‚¢ã‚«ã‚¦ãƒ³ãƒˆæƒ…å ±ã¯ã€organizationsコマンドã§å–å¾—ã—ã¦ã„ã¾ã™ã€‚
 アカウント数分ã€ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã™ã‚‹ãŸã‚ã€çµæ§‹æ™‚é–“ãŒã‹ã‹ã‚Šã¾ã™ã€‚
コマンド
INSTNACE_ARN=$(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text);\
aws organizations list-accounts --query "Accounts[].Id" --output text | tr "\t" "\n" | sort | while read line
do
for permission in $(aws sso-admin list-permission-sets-provisioned-to-account --instance-arn ${INSTNACE_ARN} --account-id ${line} --query "PermissionSets" --output text)
do
if [[ ${permission} == None ]] ; then
echo "${line} : アクセス権é™ã‚»ãƒƒãƒˆãªã—" >> /tmp/awscli.tmp
else
aws sso-admin list-account-assignments \
--instance-arn ${INSTNACE_ARN} \
--permission-set-arn ${permission} \
--account-id ${line} \
--query "AccountAssignments[]" --output text >> /tmp/awscli.tmp
fi
done
done;\
rm /tmp/awscli.tmp
- 実行çµæžœ
xxxxxxxxxxxxxx arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxxxxxx/ps-xxxxxxxxxxxxxxxxxx xxxxxxxxxxxx-xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxxx GROUP xxxxxxxxxxxxxx arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxxxxxx/ps-xxxxxxxxxxxxxxxxxx xxxxxxxxxxxx-xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxxx GROUP xxxxxxxxxxxxxx arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxxxxxx/ps-xxxxxxxxxxxxxxxxxx xxxxxxxxxxxx-xxxxxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxxxxxxx GROUP xxxxxxxxxxxxxx : アクセス権é™ã‚»ãƒƒãƒˆãªã— xxxxxxxxxxxxxx : アクセス権é™ã‚»ãƒƒãƒˆãªã—
全アクセス権é™ã‚»ãƒƒãƒˆã®è©³ç´°
コマンド
INSTNACE_ARN=$(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text);\
aws sso-admin list-permission-sets --instance-arn ${INSTNACE_ARN} --query "PermissionSets" --output text | tr "\t" "\n" | while read line
do
echo "## アクセス権é™ã‚»ãƒƒãƒˆå"
RESULT=$(aws sso-admin describe-permission-set --instance-arn ${INSTNACE_ARN} --permission-set-arn ${line} --query "PermissionSet.[Name,PermissionSetArn]" --output text)
echo ${RESULT}
echo "### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼"
aws sso-admin list-managed-policies-in-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${line} \
--query "AttachedManagedPolicies[].[Name,Arn]" --output text
echo "### インラインãƒãƒªã‚·ãƒ¼"
FILE_NAME=$(echo ${RESULT} | awk '{print $1}').policy
aws sso-admin get-inline-policy-for-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${line} --output text > /tmp/awscli.tmp;\
if [[ 1 -lt $(wc -c /tmp/awscli.tmp | awk '{print $1}') ]] ; then
cat /tmp/awscli.tmp | sed -e 's/,/,\n/g' -e 's/{/\n{\n/g' -e 's/\[/\n\[/g' -e 's/\}/\n\}/g' -e 's/\]/\n\]/g' | sed '1d' ;\
else
echo "インラインãƒãƒªã‚·ãƒ¼ã¯å®šç¾©ã•ã‚Œã¦ã„ã¾ã›ã‚“。" ;\
fi;\
done;\
rm /tmp/awscli.tmp
- 実行çµæžœ
## アクセス権é™ã‚»ãƒƒãƒˆå
AdministratorAccess arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82a2d3c9ca6398a4
### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
Billing arn:aws:iam::aws:policy/job-function/Billing
### インラインãƒãƒªã‚·ãƒ¼
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
## アクセス権é™ã‚»ãƒƒãƒˆå
Billing arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82c9d5e2c3d089ec
### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
Billing arn:aws:iam::aws:policy/job-function/Billing
### インラインãƒãƒªã‚·ãƒ¼
インラインãƒãƒªã‚·ãƒ¼ã¯å®šç¾©ã•ã‚Œã¦ã„ã¾ã›ã‚“。
#
ãŠã¾ã‘
アクセス権é™ã‚»ãƒƒãƒˆã”ã¨ã®ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ãƒãƒªã‚·ãƒ¼ã‚’ファイルã«å‡ºåŠ›ã™ã‚‹Version
※標準出力もã—ã¾ã™ã€‚
INSTNACE_ARN=$(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text);\
aws sso-admin list-permission-sets --instance-arn ${INSTNACE_ARN} --query "PermissionSets" --output text | tr "\t" "\n" | sort | while read line
do
echo "## アクセス権é™ã‚»ãƒƒãƒˆå"
RESULT=$(aws sso-admin describe-permission-set --instance-arn ${INSTNACE_ARN} --permission-set-arn ${line} --query "PermissionSet.[Name,PermissionSetArn]" --output text)
echo "${RESULT}"
echo "### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼"
aws sso-admin list-managed-policies-in-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${line} \
--query "AttachedManagedPolicies[].[Name,Arn]" --output text
echo "### インラインãƒãƒªã‚·ãƒ¼"
FILE_NAME=$(echo ${RESULT} | awk '{print $1}').policy
aws sso-admin get-inline-policy-for-permission-set \
--instance-arn $(aws sso-admin list-instances --query "Instances[].InstanceArn" --output text) \
--permission-set-arn ${line} --output text > /tmp/awscli.tmp;\
if [[ 1 -lt $(wc -c /tmp/awscli.tmp | awk '{print $1}') ]] ; then
cat /tmp/awscli.tmp | sed -e 's/,/,\n/g' -e 's/{/\n{\n/g' -e 's/\[/\n\[/g' -e 's/\}/\n\}/g' -e 's/\]/\n\]/g' | sed '1d' | tee ${FILE_NAME};\
else
echo "インラインãƒãƒªã‚·ãƒ¼ã¯å®šç¾©ã•ã‚Œã¦ã„ã¾ã›ã‚“。" | tee ${FILE_NAME};\
fi;\
done;\
rm /tmp/awscli.tmp
- 実行çµæžœ
## アクセス権é™ã‚»ãƒƒãƒˆå
AdministratorAccess arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82a2d3c9ca6398a4
### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
AdministratorAccess arn:aws:iam::aws:policy/AdministratorAccess
### インラインãƒãƒªã‚·ãƒ¼
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
## アクセス権é™ã‚»ãƒƒãƒˆå
Billing arn:aws:sso:::permissionSet/ssoins-7758faff83b26bbb/ps-82c9d5e2c3d089ec
### マãƒãƒ¼ã‚¸ãƒ‰ãƒãƒªã‚·ãƒ¼
Billing arn:aws:iam::aws:policy/job-function/Billing
### インラインãƒãƒªã‚·ãƒ¼
インラインãƒãƒªã‚·ãƒ¼ã¯å®šç¾©ã•ã‚Œã¦ã„ã¾ã›ã‚“。
# ls -lrt
-rwxrwxrwx 1 kazuya kazuya 96 Oct 27 00:35 AdministratorAccess.policy
-rwxrwxrwx 1 kazuya kazuya 61 Oct 27 00:35 Billing.policy
#
# cat AdministratorAccess.policy
{
"Version":"2012-10-17",
"Statement":
[
{
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}
]
}
#
# cat Billing.policy
インラインãƒãƒªã‚·ãƒ¼ã¯å®šç¾©ã•ã‚Œã¦ã„ã¾ã›ã‚“。
#
ãŠã‚ã‚Šã«
今回ã¯ã€AWS SSO関連ã®æƒ…å ±ã‚’å–å¾—ã™ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã‚’ã”紹介ã„ãŸã—ã¾ã—ãŸã€‚
次回ã¯ã€IAMã‚‚ã—ãã¯AWS SSOã®ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã‚»ãƒƒãƒˆã®ä½œæˆãƒ»å‰Šé™¤ãªã©ã‚’ã”紹介ã—ãŸã„ã¨æ€ã„ã¾ã™ï½ž
