To access each Amazon Web Services (AWS) account, you need to create groups in an external directory for each AWS role for each of these accounts. These group names are utilized by a filter to associate them with the corresponding AWS roles.
Create AWS role-specific groups in your directory using one of the following methods:
Run a script to create external-directory groups for each role in each account.
This option offers the greatest possibility of automation, but requires coordination between your AWS management teams and external-directory management teams for the script to be configured.
CSV file export from AWS
If a scripting approach between AWS and the external directory is not possible, a lighter weight approach may be to export a list of role names for each of your AWS accounts in a CSV file that you provide to your external-directory administration teams. From there, they can manage the creation of AWS role groups however they see fit without any sort of dependencies or direct integration with your AWS accounts themselves.
Manual creation of AWS role groups in the external directory
This is the simplest method; however, it requires upkeep as well as ample set up time to create groups in the external directory for each of the roles in each of your accounts.
Create an organizational unit (OU) in your directory to contain all AWS role-specific groups to be associated with AWS roles. For example, AWS Role Groups and AWS Entitlements.
Using a standard syntax, create external directory-security groups for each role.
Recommended syntax:aws#[account alias]#[role name]#[account #]
Also available is a regex expression to filter AWS related groups and extract accountid and role.
If you use your own group syntax, make sure to include an account alias, role name, and account # with recognizable delimiters between each. You will also need to create a custom regex expression.