1. Create AWS Users group on Google Workspace (and any other groups as required. Permissions will be given on AWS group wise).
2. Follow https://docs.aws.amazon.com/singlesignon/latest/userguide/gs-gwp.html until step 3 (one change: instead of "on for everyone", it will be "on only for AWS Users group").
3. Create a new project on Google Cloud and perform these in that project
   1. Enable Admin SDK API
   2. Create a service account and download the JSON credentials (No roles need to be added to the service account).
   3. Setup domain wide delegation for the service account with these scopes
       1. https://www.googleapis.com/auth/admin.directory.group.readonly
       2. https://www.googleapis.com/auth/admin.directory.group.member.readonly
       3. https://www.googleapis.com/auth/admin.directory.user.readonly
4. Go to the AWS Identity Center and enable automatic provisioning. Keep note of SCIM endpoint and access token.
5. Deploy this AWS SAR app - https://console.aws.amazon.com/lambda/home#/create/app?applicationId=arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync
   1. Fill GoogleAdminEmail as any email address that has full admin privileges on Google Workspace
   2. GoogleGroupMatch = name:AWS*
   3. DeployPattern = App + secrets
   4. SyncMethod = groups
   5. SCIMEndpointAccessToken
   6. SCIMEndpointUrl
   7. IdentityStoreID
   8. GoogleCredentials

‍