Feature: Avoid impersonation

cicd/account_execution/staging/stack.yml

@@ -15,7 +15,9 @@ Parameters:
     Description: The version of this build in SAR
     Default: 'v1.0.0-rc.10'
     Type: String
-  GoogleAdminEmailArn:
+  # GoogleAdminEmailArn:
+  #   Type: String
+  GoogleCustomerIdArn:
     Type: String
   GoogleCredentialsArn:
     Type: String
@@ -41,10 +43,10 @@ Resources:
         SemanticVersion: !Ref AppVersion
       Parameters:
         FunctionName: SSOSyncFunction
-        GoogleAdminEmail: !Join
+        GoogleCustomerId: !Join
           - ''
           - - '{{resolve:secretsmanager:'
-            - !Ref GoogleAdminEmailArn
+            - !Ref GoogleCustomerIdArn
             - '}}'
         GoogleCredentials: !Join
           - ''

cicd/cloudformation/developer.yaml

@@ -465,7 +465,9 @@ Resources:
             Value: !Select [3, !Split [',', !Ref SecretsConfig]]
           - Name: SecretGoogleCredentials
             Value: !Select [4, !Split [',', !Ref SecretsConfig]]
-          - Name: SecretGoogleAdminEmail
+          #- Name: SecretGoogleAdminEmail
+          #  Value: !Select [5, !Split [',', !Ref SecretsConfig]]
+          - Name: SecretGoogleCustomerId
             Value: !Select [5, !Split [',', !Ref SecretsConfig]]
           - Name: SecretWIFClientLibraryConfig
             Value: !Select [6, !Split [',', !Ref SecretsConfig]]

cicd/cloudformation/secrets.yaml

@@ -35,10 +35,15 @@ Parameters:
     AllowedPattern: '(?!.*\s)|(\{(\s)*(".*")(\s)*:(\s)*(".*")(\s)*\})'
     NoEcho: true
 
-  GoogleAdminEmail:
-    Description: Google Workspaces Admin email
+  # GoogleAdminEmail:
+  #   Description: Google Workspaces Admin email
+  #   Type: String
+  #   AllowedPattern: '(?!.*\s)|(([a-zA-Z0-9.+=_-]{0,61})@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*)'      
+  #   NoEcho: true
+  GoogleCustomerId:
+    Description: Google Workspaces Customer id
     Type: String
-    AllowedPattern: '(?!.*\s)|(([a-zA-Z0-9.+=_-]{0,61})@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*)'      
+    AllowedPattern: '(?!.*\s)|C[A-Za-z0-9]{8}'      
     NoEcho: true
 
   WIFServiceAccountEmail:
@@ -87,7 +92,8 @@ Metadata:
       - Label:
           default: Parameters for Google Credentials based authentication, required if either Google Credentials or Both have been selected for Google Authentication Method
         Parameters:
-          - GoogleAdminEmail
+          #- GoogleAdminEmail
+          - GoogleCustomerId
           - GoogleCredentials
       - Label: 
           default: Parameters for Workload Identity Federation based authentication, required if either Workload Identity Federation or Both have been selected for Google Authentication Method
@@ -112,8 +118,10 @@ Metadata:
         default: "Which Google Auth Methods do you want to test with?"
       GoogleCredentials:
         default: "contents of credentials.json"
-      GoogleAdminEmail:
-        default: "admin@WorkspaceDomain"
+      GoogleCustomerId:
+        default: "C12345678"
+      # GoogleAdminEmail:
+      #   default: "admin@WorkspaceDomain"
       WIFServiceAccountEmail:
         default: "service-account@@WorkspaceDomain"
       WIFClientLibraryConfig:
@@ -163,10 +171,10 @@ Rules:
           - !Ref GoogleAuthMethod
           - "Both"
     Assertions:
-      - AssertDescription: You have selected Google Credentials, You need to provide a Google Admin email address.
+      - AssertDescription: You have selected Google Credentials, You need to provide a Google Workspace customer id.
         Assert: !Not
           - !Equals
-            - !Ref GoogleAdminEmail
+            - !Ref GoogleCustomerId
             - "" 
       - AssertDescription: You have selected Google Credentials, You need to provide the content of a Credentials file (json).
         Assert: !Not
@@ -284,21 +292,58 @@ Resources:
             - secretsmanager:GetSecretValue
           Resource: '*'
 
-  SecretGoogleAdminEmail:
+  # SecretGoogleAdminEmail:
+  #   Type: "AWS::SecretsManager::Secret"
+  #   Condition: CreateGoogle
+  #   DeletionPolicy: Retain
+  #   UpdateReplacePolicy: Delete
+  #   Properties:
+  #     Name: PipelineGoogleAdminEmail
+  #     SecretString: !Ref GoogleAdminEmail
+  #     KmsKeyId: !Ref KeyAlias
+
+  SecretGoogleCustomerId:
     Type: "AWS::SecretsManager::Secret"
     Condition: CreateGoogle
     DeletionPolicy: Retain
     UpdateReplacePolicy: Delete
     Properties:
-      Name: PipelineGoogleAdminEmail
-      SecretString: !Ref GoogleAdminEmail
+      Name: PipelineGoogleCustomerId
+      SecretString: !Ref GoogleCustomerId
       KmsKeyId: !Ref KeyAlias
 
-  SecretGoogleAdminEmailPolicy:
+  # SecretGoogleAdminEmailPolicy:
+  #   Type: AWS::SecretsManager::ResourcePolicy
+  #   Condition: CreateGoogle
+  #   Properties:
+  #     SecretId: !Ref SecretGoogleAdminEmail
+  #     ResourcePolicy:
+  #       Version: 2012-10-17
+  #       Statement:
+  #       - Effect: Allow
+  #         Principal:
+  #           AWS: !Sub arn:aws:iam::${ManagementAccount}:root
+  #         Action:
+  #           - secretsmanager:GetSecretValue
+  #         Resource: '*'
+  #       - Effect: Allow
+  #         Principal:
+  #           AWS: !Sub arn:aws:iam::${DelegatedAccount}:root
+  #         Action:
+  #           - secretsmanager:GetSecretValue
+  #         Resource: '*'
+  #       - Effect: Allow
+  #         Principal:
+  #           AWS: !Sub arn:aws:iam::${NonDelegatedAccount}:root
+  #         Action:
+  #           - secretsmanager:GetSecretValue
+  #         Resource: '*'
+
+  SecretGoogleCustomerIdPolicy:
     Type: AWS::SecretsManager::ResourcePolicy
     Condition: CreateGoogle
     Properties:
-      SecretId: !Ref SecretGoogleAdminEmail
+      SecretId: !Ref SecretGoogleCustomerId
       ResourcePolicy:
         Version: 2012-10-17
         Statement:
@@ -538,7 +583,7 @@ Outputs:
   TestConfigGoogleCreds:
     Condition: GoogleCreds
     Description: "The Comma Separated list of Secrets and KMS Key ARNs to copy and paste into the CrossStackConfig field of the app for cross-account stack."
-    Value: !Sub ${SecretSCIMEndpoint},${SecretSCIMAccessToken},${SecretRegion},${SecretIdentityStoreID},${SecretGoogleCredentials},${SecretGoogleAdminEmail},"","",arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KeyForSecrets}
+    Value: !Sub ${SecretSCIMEndpoint},${SecretSCIMAccessToken},${SecretRegion},${SecretIdentityStoreID},${SecretGoogleCredentials},${SecretGoogleCustomerId},"","",arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KeyForSecrets}
     Export:
       Name: TestConfig
 
@@ -552,6 +597,6 @@ Outputs:
   TestConfigBoth:
     Condition: BothCreds
     Description: "The Comma Separated list of Secrets and KMS Key ARNs to copy and paste into the CrossStackConfig field of the app for cross-account stack."
-    Value: !Sub ${SecretSCIMEndpoint},${SecretSCIMAccessToken},${SecretRegion},${SecretIdentityStoreID},${SecretGoogleCredentials},${SecretGoogleAdminEmail},${SecretWIFClientLibraryConfig},${SecretWIFServiceAccountEmail},arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KeyForSecrets}
+    Value: !Sub ${SecretSCIMEndpoint},${SecretSCIMAccessToken},${SecretRegion},${SecretIdentityStoreID},${SecretGoogleCredentials},${SecretGoogleCustomerId},${SecretWIFClientLibraryConfig},${SecretWIFServiceAccountEmail},arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KeyForSecrets}
     Export:
       Name: TestConfig

cicd/deploy_patterns/singlestack/buildspec.yml

@@ -30,7 +30,7 @@ phases:
       # Update params with the values for this run for a developer account
       - |
         jq -n \
-        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleAdminEmailArn\": \"$SecretGoogleAdminEmail\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*\"}" \
+        --argjson Parameters "{\"AppArn\": \"$AppArn\", \"AppVersion\": \"$AppVersion\", \"GoogleCustomerIdArn\": \"$SecretGoogleCustomerId\", \"GoogleCredentialsArn\": \"$SecretGoogleCredentials\", \"SCIMEndpointUrlArn\": \"$SecretSCIMEndpoint\", \"SCIMAccessTokenArn\": \"$SecretSCIMAccessToken\", \"RegionArn\": \"$SecretRegion\", \"IdentityStoreIdArn\": \"$SecretIdentityStoreID\", \"GroupMatch\": \"name:AWS*\"}" \
         --argjson StackPolicy "{\"Statement\":[{\"Effect\": \"Allow\", \"NotAction\": \"Update:Delete\", \"Principal\": \"*\", \"Resource\": \"*\"}]}" \
         '$ARGS.named' > ./deploy/singlestack.json
       - cat ./deploy/singlestack.json

cicd/deploy_patterns/singlestack/namedfunction.yml

@@ -15,8 +15,9 @@ Parameters:
     Description: The version of this build in SAR
     Default: 'v1.0.0-rc.10'
     Type: String
-  GoogleAdminEmailArn:
-    Type: String
+  # GoogleAdminEmailArn:
+  #   Type: String
+
   GoogleCredentialsArn:
     Type: String
   SCIMEndpointUrlArn:

cmd/root.go

@@ -25,7 +25,7 @@ import (
 	"github.com/aws/aws-lambda-go/lambda"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
-        "github.com/aws/aws-sdk-go/service/codepipeline"
+	"github.com/aws/aws-sdk-go/service/codepipeline"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/awslabs/ssosync/internal"
 	"github.com/awslabs/ssosync/internal/config"
@@ -158,7 +158,8 @@ func initConfig() {
 	viper.AutomaticEnv()
 
 	appEnvVars := []string{
-		"google_admin",
+		//"google_admin",
+		"customer_id",
 		"google_credentials",
 		"scim_access_token",
 		"scim_endpoint",
@@ -198,11 +199,17 @@ func configLambda() {
 	svc := secretsmanager.New(s)
 	secrets := config.NewSecrets(svc)
 
-	unwrap, err := secrets.GoogleAdminEmail(os.Getenv("GOOGLE_ADMIN"))
+	// unwrap, err := secrets.GoogleAdminEmail(os.Getenv("GOOGLE_ADMIN"))
+	// if err != nil {
+	// 	log.Fatalf(errors.Wrap(err, "cannot read config: GOOGLE_ADMIN").Error())
+	// }
+	// cfg.GoogleAdmin = unwrap
+
+	unwrap, err := secrets.GoogleCustomerId(os.Getenv("CUSTOMER_ID"))
 	if err != nil {
-		log.Fatalf(errors.Wrap(err, "cannot read config: GOOGLE_ADMIN").Error())
+		log.Fatalf(errors.Wrap(err, "cannot read config: CUSTOMER_ID").Error())
 	}
-	cfg.GoogleAdmin = unwrap
+	cfg.CustomerId = unwrap
 
 	unwrap, err = secrets.GoogleCredentials(os.Getenv("GOOGLE_CREDENTIALS"))
 	if err != nil {
@@ -292,7 +299,8 @@ func addFlags(cmd *cobra.Command, cfg *config.Config) {
 	rootCmd.Flags().StringVarP(&cfg.SCIMAccessToken, "access-token", "t", "", "AWS SSO SCIM API Access Token")
 	rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "AWS SSO SCIM API Endpoint")
 	rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "path to Google Workspace credentials file")
-	rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Workspace admin user email")
+	//rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Workspace admin user email")
+	rootCmd.Flags().StringVarP(&cfg.CustomerId, "customer-id", "u", "", "Google Workspace customer id")
 	rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these Google Workspace users")
 	rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these Google Workspace groups")
 	rootCmd.Flags().StringSliceVar(&cfg.IncludeGroups, "include-groups", []string{}, "include only these Google Workspace groups, NOTE: only works when --sync-method 'users_groups'")

go.mod

@@ -3,6 +3,7 @@ module github.com/awslabs/ssosync
 go 1.16
 
 require (
+	cloud.google.com/go/compute v1.12.1 // indirect
 	github.com/BurntSushi/toml v1.0.0
 	github.com/aws/aws-lambda-go v1.23.0
 	github.com/aws/aws-sdk-go v1.44.102