AWS Identity Center (SSO) list all assignments

identity-center-list-all-assignments.sh

IDENTITY_CENTER_INSTANCE_ARN="$(aws sso-admin list-instances --output text --query 'Instances[0].InstanceArn')"
IDENTITY_STORE_ID="$(aws sso-admin list-instances --output text --query 'Instances[0].IdentityStoreId')"

for acctid in $(aws organizations list-accounts --query 'Accounts[][Id]' --output text); do
  echo "acct:$(aws organizations describe-account --account-id "$acctid" --output text --query 'Account.[Id, Email, Name]')"
  for psarn in $(aws sso-admin list-permission-sets-provisioned-to-account --account-id "$acctid" --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --output text --query 'PermissionSets[]'); do
      echo "  permissionset:$(aws sso-admin describe-permission-set --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --permission-set-arn "$psarn" --output text --query 'PermissionSet.[Name]')"
      for groupid in $(aws sso-admin list-account-assignments --account-id "$acctid" --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --permission-set-arn "$psarn" --output text --query 'AccountAssignments[?PrincipalType==`GROUP`].[PrincipalId]'); do
        echo "    group:$(aws identitystore describe-group --identity-store-id "$IDENTITY_STORE_ID" --group-id "$groupid" --output text --query 'DisplayName')"
      done

      for userid in $(aws sso-admin list-account-assignments --account-id "$acctid" --instance-arn "$IDENTITY_CENTER_INSTANCE_ARN" --permission-set-arn "$psarn" --output text --query 'AccountAssignments[?PrincipalType==`USER`].[PrincipalId]'); do
        echo "    user:$(aws identitystore describe-user --identity-store-id "$IDENTITY_STORE_ID" --user-id "$userid" --output text --query 'UserName')"
      done
  done
  echo
done