Why does Google Workspace SCIM not provision groups to AWS IAM Identity Center?

Question

I successfully set up autoprovisioning for users coming from Google Workspace in AWS IAM Identity Center. Unfortunately, groups are not synced over at all.

Right now, groups are mapped as shown in the following screenshot:

Assuming that group information is a multi-value SAML attribute, I lost my hope when I found this bullet point in an official guide:

Currently, multivalue attributes (such as multiple emails or phone numbers for a given user) are not provisioned with SCIM. Attempts to synchronize multivalue attributes into IAM Identity Center with SCIM will fail. To avoid failures, ensure that only a single value is passed for each attribute. If you have users with multivalue attributes, remove or modify the duplicate attribute mappings in SCIM at your IdP for the connection to IAM Identity Center.

Does this mean that groups and group memberships cannot be synchronized at all to Identity Center using SCIM? If not, what am I missing?

Thanks in advance for any advice

Answer 1

The AWS docs say that it isn't supported, in a note at the end of step 10:

SCIM automatic synchronization from Google Workspace only supports provisioning users; groups aren't automatically provisioned. You can't create groups for your Google Workspace users using the AWS Management Console. After provisioning users, you can create groups using a CLI or API operation

A previous version of the docs was slightly more clear:

About group provisioning

SCIM automatic provisioning of Google Workspace groups isn't available. You can create groups manually as follows:

• Identity Store AWS CLI create-group operation
• CreateGroup API

You can't create groups manually in the AWS Management Console.

Answer 2

As noted by @trevor-robinson this somehow isn't supported automatically. I however was helped by his comment about this being possible from the api. I managed to get things working from Terraform which I guess is a decent enough workaround for now.

    data "aws_ssoadmin_instances" "iam-identity-center" {
        # an extra provider is needed to query the ssoadmin api if you're not using the same region as the identity store
        provider = aws.eu-central-1
    }

    output "arn" {
        value = tolist(data.aws_ssoadmin_instances.iam-identity-center.arns)[0]
    }

    output "identity_store_id" {
        value = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
    }

    resource "aws_identitystore_group" "iam-identity-center-admins" {
        identity_store_id = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
        display_name      = "iam-identity-center-admins"
        provider          = aws.eu-central-1
    }

    resource "aws_identitystore_group" "iam-identity-center-developers" {
        identity_store_id = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
        display_name      = "iam-identity-center-developers"
        provider          = aws.eu-central-1
    }

Answer 3

As noted by @Trevor Robinson, The AWS Docs says that it is not supported.

But AWS does provide and support an open source project sso-sync that can sync your google groups regularly to AWS Identity Center. The project can be found on github and can be installed using the serverless application repository.