...
Enable SCIM for your Identity Center directory:
Sign into the Identity account from your AWS landing zone.
From AWS IAM Identity Center settings, within the Automatic provisioning information box, choose Enable.
Save the displayed SCIM endpoint and Access token.
Create a new Terraform module in the infrastructure repository under
sso-sync/secretsto store the credentials:Code Block module "secret" { source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0" description = "Secrets for deploying the AWS/Google SSO Sync Lambda" name = "aws-google-sso-sync" initial_value = jsonencode({ GoogleCredentials = "" SCIMEndpointAccessToken = "" SCIMEndpointUrl = "" }) }
Apply the Terraform module.
From AWS Secrets Manager, find the created secret.
Click Retrieve Secret Value and then click Edit.
Copy the contents of the JSON credentials file you downloaded into the GoogleCredentials field.
Fill in the SCIMEndpointAccessToken and SCIMEndpointUrl values you saved earlier.
Click Save.
Create a new Terraform module to deploy the SSOSync Lambda:
Code Block module "lambda" { source = "github.com/thoughtbot/terraform-aws-google-sso?ref=v0.1.0" google_admin_email = "google-admin@example.com" google_credentials = local.secrets.GoogleCredentials google_group_match = "email:aws-*" name = "aws-google-sso-sync" scim_endpoint_access_token = local.secrets.SCIMEndpointAccessToken scim_endpoint_url = local.secrets.SCIMEndpointUrl semantic_version = "2.0.2" } locals { secrets = jsondecode( data.aws_secretsmanager_secret_version.sso_sync.secret_string ) } data "aws_secretsmanager_secret_version" "sso_sync" { secret_id = "aws-google-sso-sync" }Apply the module.
IAM Identity Center will now automatically synchronize matched groups and users from your Google domain.