bug: aws_ssoadmin_account_assignments only populated for Org/SSO management account #10844
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
The table aws_ssoadmin_account_assignments is only populated with data from the account with which SSO is managed, in our case this is the root/management account of the Org.
Expected Behavior
I'd like to be able to link all SSO Users/Groups to their assigned permission sets across all account, I can only link them in the management account currently.
CloudQuery (redacted) config
kind: source
spec:
## Required. name of the plugin to use.
## This should be unique if you have number of aws plugins.
name: 'aws'
## Optional. Where to search for the plugin. Default: "github". Options: "github", "local", "grpc"
# registry: "github"
## Path for the plugin.
## If registry is "github" path should be "repo/name"
## If registry is "local", path is path to binary. If "grpc" then it should be address of the plugin (usually useful in debug).
path: 'cloudquery/aws'
## Required. Must be a specific version starting with v, e.g. v1.2.3
## checkout latest versions here https://github.com/cloudquery/cloudquery/releases?q=plugins-source-aws&expanded=true
version: ${CQ_VAR_CLOUD_QUERY_AWS_PLUGIN_VERSION}
## Optional. Default: ["*"] - all tables. We recommend to specify specific tables that you need to sync as this
## will reduce the amount of data synced and improve performance.
## See all tables: https://github.com/cloudquery/cloudquery/blob/main/plugins/source/aws/docs/tables/README.md
tables: ['*']
skip_tables:
[
'aws_athena_work_group_query_executions',
'aws_cloudtrail_events',
'aws_ec2_instance_types',
'aws_ec2_images',
'aws_ec2_image_launch_permissions',
'aws_ecr_repository_image_scan_findings',
'aws_elasticache_reserved_cache_nodes_offerings',
'aws_inspector2_findings',
'aws_inspector_findings',
'aws_rds_engine_versions',
'aws_securityhub_findings',
'aws_stepfunctions_executions',
'aws_stepfunctions_map*',
'aws_amp_*',
'aws_amplify_*',
'aws_applicationautoscaling_*',
'aws_apprunner_*',
'aws_appstream_*',
'aws_docdb_*',
'aws_frauddetector_*',
'aws_iot_*',
'aws_lightsail*',
'aws_neptune_*',
'aws_qldb_*',
'aws_quicksight_*',
'aws_rds_cluster_parameter*',
'aws_rds_db_parameter*',
'aws_resiliencehub_*',
'aws_sagemaker_*',
'aws_servicequotas_*',
]
## Required. all destinations you want to sync data to.
destinations: ['postgresql']
resource_concurrency: 100000
spec:
## Optional. plugin specific configuration
## By default will use the current aws credentials available (just like AWS CLI)
## See all available options here: https://github.com/cloudquery/cloudquery/blob/main/plugins/source/aws/docs/configuration.md
org:
member_role_name: ${CQ_VAR_AWS_CLOUD_QUERY_MEMBER_ROLE_NAME}
admin_account:
id: '******************'
role_arn: ${CQ_VAR_AWS_CLOUD_QUERY_ADMIN_ROLE_ARN}
member_trusted_principal:
id: '******************'
role_arn: ${CQ_VAR_AWS_CLOUD_QUERY_ROLE_ARN}
aws_debug: true
max_retries: 10
max_backoff: 90
---
kind: destination
spec:
## Required. name of the plugin.
## This is an alias so it should be unique if you have a number of postgresql destination plugins.
name: 'postgresql'
## Optional. Where to search for the plugin. Default: "github". Options: "github", "local", "grpc".
# registry: "github"
## Path for the plugin.
## If registry is "github" path should be "repo/name"
## If registry is "local", path is path to binary. If "grpc" then it should be address of the plugin (usually useful in debug).
path: 'cloudquery/postgresql'
## Required. Must be a specific version starting with v, e.g. v1.2.3
## checkout latest versions here https://github.com/cloudquery/cloudquery/releases?q=plugins-destination-postgresql&expanded=true
version: ${CQ_VAR_CLOUD_QUERY_POSTGRESQL_PLUGIN_VERSION}
## Optional. Default: "overwrite-delete-stale". Available: "overwrite-delete-stale", "overwrite", "append".
## Not all modes are supported by all plugins, so make sure to check the plugin documentation for more details.
write_mode: 'overwrite-delete-stale' # overwrite-delete-stale, overwrite, append
spec:
## plugin-specific configuration for PostgreSQL.
## See all available options here: https://github.com/cloudquery/cloudquery/tree/main/plugins/destination/postgresql#postgresql-spec
## Required. Connection string to your PostgreSQL instance
## In production it is highly recommended to use environment variable expansion
connection_string: 'postgres://${CQ_VAR_POSTGRES_DB_USER}:${CQ_VAR_POSTGRES_DB_PASSWORD}@${CQ_VAR_POSTGRES_DB_HOST}:${CQ_VAR_POSTGRES_DB_PORT}/${CQ_VAR_POSTGRES_DB_NAME}?sslmode=disable'
Steps To Reproduce
No response
CloudQuery (redacted) logs
No errors or access denied message that I can find in our logs relate to this issue.
CloudQuery version
3.3.1
Additional Context
AWS plugin v17.2.0
Postgres plugin v4.0.5
Pull request (optional)
- I can submit a pull request
Metadata
Metadata
Assignees
Labels
No labels