Skip to content

Support cross-account IAM role assumption for Identity Store APIs#2

Open
Dakad wants to merge 1 commit into
mainfrom
fix/gh-295_support-cross-account-IAM-role
Open

Support cross-account IAM role assumption for Identity Store APIs#2
Dakad wants to merge 1 commit into
mainfrom
fix/gh-295_support-cross-account-IAM-role

Conversation

@Dakad
Copy link
Copy Markdown

@Dakad Dakad commented Apr 17, 2026
edited
Loading

What does this PR do?

Adds first-class support for assuming an IAM role before making IAM Identity Center Identity Store API calls.

Today ssosync loads AWS credentials from the standard SDK v2 default credential chain and uses them directly for Identity Store operations. This change keeps that behavior by default, and adds an optional assume-role-arn configuration path so ssosync can run outside the delegated admin or management account while still using the correct target-account permissions.

The implementation is intentionally narrow:

  • adds --assume-role-arn
  • adds SSOSYNC_ASSUME_ROLE_ARN
  • loads the normal AWS SDK config first
  • when configured, uses STS AssumeRole with session name ssosync
  • builds the Identity Store client from the assumed-role credentials
  • leaves SCIM endpoint/token behavior unchanged
  • preserves CLI, Lambda, and dry-run flows

Associated ticket number and/or AirBrake error?

Related upstream issue: awslabs/ssosync#295
Same PR on https://github.com/awslabs/ssosync/pull/308

Due Date or Desirable Merge

No hard deadline. This is a focused upstream feature addition to unblock cross-account deployments.

How has this been tested?

  • Added config parsing coverage for the new flag/env var
  • Added unit tests for the assume-role config path using a fake STS client
  • Verified the relevant command/config tests locally

Anticipated impact

Low-risk, opt-in behavior change.

When assume-role-arn is not set, behavior stays the same as today. When it is set, Identity Store API calls use the assumed role credentials instead of the base credential chain.

How do you plan to monitor the change in prod to make sure it's working?

  • Watch ssosync logs for the initial Identity Store connectivity check
  • Confirm sync operations succeed from environments outside the delegated admin account
  • If misconfigured, the expected failure mode is an STS assume-role or Identity Store permission error during startup

Checklist

  • My code follows the code style of this project.
  • I have run tests locally (manual tests and otherwise).
  • This has been tested on staging.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly

@Dakad Dakad self-assigned this Apr 17, 2026
@Dakad Dakad force-pushed the fix/gh-295_support-cross-account-IAM-role branch 2 times, most recently from 876245c to 381e3e5 Compare April 17, 2026 13:15
@Dakad Dakad changed the title Add support for Identity Store assume role Support cross-account IAM role assumption for Identity Store APIs Apr 17, 2026
@Dakad Dakad marked this pull request as draft April 17, 2026 13:26
@Dakad Dakad force-pushed the fix/gh-295_support-cross-account-IAM-role branch from 381e3e5 to 87d6b8d Compare April 17, 2026 14:26
@Dakad Dakad marked this pull request as ready for review April 17, 2026 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Dakad Dakad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dakad