Create a user on AWS Workspaces with API

Question

When creating a Workspace, I can create one or more users providing email and other information.

I am trying to do the same using AWS API or boto3 in python. None of WorkSpaces and DirectoryService in boto3 provide a way to create a user in AWS Simple AD.

How do I create a user on AWS Simple AD programmatically?

I suspect you'd need to connect to it as though it was a normal Active Directory system, rather than going via AWS APIs. — John Rotenstein, Jul 12 '19 at 00:58
@JohnRotenstein Direct access to Active Directory is not available. — SMUsamaShah, Jul 12 '19 at 08:03

score 2 · Answer 1 · answered Feb 17 '20 at 20:41

Actually, it looks like you might be able to do this. Check out the API documentation for workdocs. It says "Creates a user in a Simple AD or Microsoft AD directory."

https://docs.aws.amazon.com/workdocs/latest/APIReference/API_CreateUser.html

POST /api/v1/users HTTP/1.1
Authentication: AuthenticationToken
Content-type: application/json

{
   "EmailAddress": "string",
   "GivenName": "string",
   "OrganizationId": "string",
   "Password": "string",
   "StorageRule": { 
      "StorageAllocatedInBytes": number,
      "StorageType": "string"
   },
   "Surname": "string",
   "TimeZoneId": "string",
   "Username": "string"
}

boto3 doc: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/workdocs.html#WorkDocs.Client.create_user

Technically correct, but subject to a variety of conditions: (1) The Directory must be enabled on WorkDocs. This can be done during registration or manually thereafter. (2) Created users are "active" in WorkDocs (presumably incurring cost) unless you also deactivate them. (3) There appears to be no API call to remove the WorkDocs site/application so this is not fully reversible (e.g. complicating our effort to create a [CloudFormation custom resoruce](https://github.com/ambsw/cfn-workspaces-provider) — claytond, Jul 17 '20 at 04:24

score 1 · Answer 2 · answered Jul 17 '19 at 05:58

Simple answer is that you cannot create a user 'programmatically'. You cannot even create just a user in Simple AD, you can only create it when creating a Workspace.

To create AD users you will need to start up a Windows EC2 instance and add it to the AWS Directory domain. Then, install AD management tools in that instance and use that to create/manage users. You can read about it in details for here, https://docs.aws.amazon.com/directoryservice/latest/admin-guide/simple_ad_how_to.html

You can run a powershell script in that EC2 instance to automate. Maybe even create a lambda function to run it.

score 0 · Answer 3 · answered Jul 17 '20 at 04:36

The answer from @JapethMarvel is probably the closest to what you're looking for, but it's subject to a variety of conditions that I documented in my comment.

It's worth noting that this Amazon blog post demonstrates a Lambda that makes API calls directly to the Directory Service using the ldap3 library. I haven't investigated it in depth, but it seems likely that users could be managed in this way. Of course, this solution comes with other constraints since the system (or Lambda) running this script must be able to access the Directory (not just the AWS APIs). If that directory is private, the Lambda would need to be given access to the VPC (e.g. by attaching it).

This prevent us from using it e.g. in a Custom CloudFormation Resource Provider without additional layers of complexity. For example, it might be possible to have the CF Resource create a VPC-bound lambda to proxy requests to the Directory.

Create a user on AWS Workspaces with API

3 Answers3