Sure, here is the HTML code for a technical blog post about why Google Workspace SCIM does not provision groups to AWS IAM Identity Center:
<!DOCTYPE html>
<html>
<head>
<title>Why Google Workspace SCIM Does Not Provision Groups to AWS IAM Identity Center</title>
</head>
<body>
Why Google Workspace SCIM Does Not Provision Groups to AWS IAM Identity Center
<p>Google Workspace SCIM does not provision groups to AWS IAM Identity Center because it is not supported. This is stated in the AWS documentation, in a note at the end of step 10:</p>
<blockquote>
<p>SCIM automatic synchronization from Google Workspace only supports provisioning users; groups aren't automatically provisioned. You can't create groups for your Google Workspace users using the AWS Management Console. After provisioning users, you can create groups using a CLI or API operation.</p>
</blockquote>
<p>A previous version of the documentation was slightly more clear:</p>
<blockquote>
<p>About group provisioning</p>
<p>SCIM automatic provisioning of Google Workspace groups isn't available. You can create groups manually as follows:</p>
<ul>
<li>Identity Store AWS CLI create-group operation</li>
<li>CreateGroup API</li>
</ul>
<p>You can't create groups manually in the AWS Management Console.</p>
</blockquote>
<p>There is a workaround for this issue. You can use the AWS CLI or API to create groups in AWS IAM Identity Center. Here is an example of how to do this using Terraform:</p>
<pre>
data "aws_ssoadmin_instances" "iam-identity-center" {
# an extra provider is needed to query the ssoadmin api if you're not using the same region as the identity store
provider = aws.eu-central-1
}
output "arn" {
value = tolist(data.aws_ssoadmin_instances.iam-identity-center.arns)[0]
}
output "identity_store_id" {
value = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
}
resource "aws_identitystore_group" "iam-identity-center-admins" {
identity_store_id = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
display_name = "iam-identity-center-admins"
provider = aws.eu-central-1
}
resource "aws_identitystore_group" "iam-identity-center-developers" {
identity_store_id = tolist(data.aws_ssoadmin_instances.iam-identity-center.identity_store_ids)[0]
display_name = "iam-identity-center-developers"
provider = aws.eu-central-1
}
</pre>
</body>
</html>