Created
May 10, 2023 21:44
-
-
Save DanielRussell/8873d41d9c362a92f41a875851db474c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# | |
# Backup the users and groups from your AWS IAM Identity | |
# Center (successor to AWS SSO) identity store. | |
# | |
# I wrote this because I initially modeled permission sets | |
# in Pulumi, before the AWS SSO API existed. This script | |
# is a handy way to grab a backup before doing potentially | |
# dangerous operations until I import users/groups into Pulumi. | |
# | |
# By default it will backup all identity stores; to backup | |
# a specific one, provide its ID on the command line. | |
# | |
# Usage: | |
# ./backup-identitystores.sh [identity-store-id] | |
# | |
# Output is written to a directory named "backup-<timestamp>". | |
# | |
if [ -z "${1}" ]; then | |
ids=$(aws sso-admin list-instances | jq -r '.Instances[].IdentityStoreId') | |
else | |
ids=$1 | |
fi | |
out_dir="backup-$(date +%Y%m%d%H%M%S)" | |
mkdir -p "${out_dir}" | |
for id in ${ids}; do | |
# Ensure the identity store is valid. Listing groups seems | |
# to be the simplest and most performant approach. | |
if ! aws identitystore list-groups --identity-store-id "${id}" >/dev/null 2>&1 | |
then | |
echo "Invalid identity store: ${id}" | |
exit 1 | |
fi | |
echo "Backing up identity store: ${id}" | |
users_json="${out_dir}/${id}-users.json" | |
groups_json="${out_dir}/${id}-groups.json" | |
aws identitystore list-users --identity-store-id "${id}" > "${users_json}" | |
aws identitystore list-groups --identity-store-id "${id}" > "${groups_json}" | |
group_ids=$(<"${groups_json}" jq -r '.Groups[].GroupId') | |
for group in ${group_ids}; do | |
aws identitystore list-group-memberships --identity-store-id "${id}" --group "${group}" > "${out_dir}/${id}-group-${group}.json" | |
done | |
echo " Users: $(<"${users_json}" jq -r '.Users[].UserName' | wc -l | tr -d ' ')" | |
echo " Groups: $(<"${groups_json}" jq -r '.Groups[].GroupName' | wc -l | tr -d ' ')" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment