aws identitystore list-users for all users

[iainelder]

Is your feature request related to a problem? Please describe.

I can't figure out how to get a list of all the SSO users using the API.

The documentation for the list-users command is too generic to be useful.

The documentation for the ListUsers API is slightly more specific but still vague.

Lists the attribute name and value of the user that you specified in the search. We only support UserName as a valid filter attribute path currently, and filter is required.

Which filter do I need to provide to match all users? Does such a filter exist?

Describe the solution you'd like

I've tried using * as a a wildcard with no success.

aws identitystore list-users \
--identity-store-id d-12354567890 \
--filters AttributePath=UserName,AttributeValue="*"

Ideally the match-everything filter should be the default option, like the aws ec2 describe-instances API call.

aws identitystore list-users \
--identity-store-id d-12354567890 \

Describe alternatives you've considered

I suppose it would be possible to scrape this info from the AWS SSO web console, but that really shouldn't be the only solution.

[stobrien89]

Hi @iainelder,

Thanks for the question/feature request! I'm currently waiting to hear back from the SSO team on this, as I've tried a few filter variations as well with no success. If not, I'll get this sent to them as a feature request, as it would be an API change.

[stobrien89]

Hi again @iainelder,

The SSO team got back to me and advised listing all users is currently not supported, but they are working on providing this capability. I'm going to forward this to them regardless.

[stobrien89]

P44251066

[segan23]

Any updates / Expectations to remediation?

[stobrien89]

Hi All,

No updates as of yet. I just reached out again a few moments ago, so I'll let you know as soon as I hear anything!

[taha23hasnain]

Hi team,

Facing this same problem now. Do we have an update on this?

Thanks.

[stobrien89]

Hi all,

I checked in again with the SSO team and they advised that this feature is on their roadmap and is expected to be delivered sometime within the next year. I'll keep this open for tracking purposes and let everyone know once I have more information!

[maxmanders]

I'd like to express interest in this issue, and hopeful resolution. Between this issue, and https://github.com/aws/aws-sdk/issues/25 it seems as though unless you have an IdP that directly maps groups to AWS groups, you're going to have a bad time. Being unable to programatically add users to groups, or enumerate users, is a big feature gap.

[mikep2468]

Hi, the ability to list users would be extremely useful, surprised it does not already exist. Rgds

[yevgenypats]

This will be highly valuable. The funny thing is that this API actually exist as the console is using it but it is not exposed in the sdk for whatever reason.

[stobrien89]

Hey all,

Just a heads-up: We've been moving issues that affect all SDKs, namely service operation requests, to our shared sdk repository for tracking purposes. This issue falls into that category. Please let me know if there are any questions!

[skashan-ali]

Hello AWS,

I am also waiting for this feature to get implemented !!

[devops-corgi]

Bump. Also ran into this issue today.

[trtruong]

I'm also looking for this feature

[Abasithdev]

sorry for out of topic, how to get --identity-store-id in cli? currently I take from http browser request

[antonioned]

+1 on this feature being added soon.

Additionally, the name of the command/API call does not make any sense if you need to provide an exact username as a filter.

[Wito-1]

Bump! Also needing a feature like this. Is there any estimated timeline?

[cacack]

I believe this same issue applies to the list-groups function as well. I'm trying to debug an issue with our IdP and needing a way to count the number of groups that was provisioned within AWS SSO. Does this warrant a separate issue?

[mmfoote]

+1 for issue, any idea when the group members will be available?

[edremington]

+1

[fil-v]

plus one on closing this weird gap in aws sso pls. scraping console for audit reports not a good look for 2022.

[demetriusmoro]

+1

[Galvin-wjw]

+1, any timeline about this issue?

[Aldekein]

Ran into this while trying to list SSO groups and users for audit, after I found that there's no export feature in the web console.

[Aldekein]

sorry for out of topic, how to get --identity-store-id in cli? currently I take from http browser request

@Abasithdev aws sso-admin list-instances will give you InstanceArn and IdentityStoreId values.

[songhanpoo]

+1

[marioerceg]

+1

[davidwebstar34]

+1

[oleksandrsv]

Any update here?

[midas]

+1 Need this capability really bad in order to script reports for SSO groups, users and permission sets. Also need similar functionality for list-groups.

[jswheeler]

+1

[usquetandem]

+1

[rajivm17]

+1

[tomaszowczarczyk]

Would be useful to have it in place.

[exeding]

+1

[iturner]

+1

[NateLedet]

@stobrien89 this issue has been open for nearly a year. It's outlined in the documentation and documented for probably well over a year now. This doesn't seem like a "feature request", but most certainly a bug. There's 30+ comments from people needing this basic functionality that's defined in the documentation. Users and Groups are being displayed in the SSO Admin page, so what's a solution to aggregate that information?

Thank you.

[kdaily]

Hi @NateLedet et al,

Thanks for your comments. I understand that this is a significant sharp edge to be missing this functionality and the frustration it causes. However, the AWS SDKs do not have control over this feature release. I do not have any more updates at this time. I've indicated to the SSO team that there is significant customer request for this functionality, and I'm checking in again with them to see if there is any update. I'll post here if I receive more information.

Note: please refrain from adding "+1" comments and use the GitHub reactions on the initial post so we can more easily quantify user requests for this issue. Thanks!

[iggyzap]

Actually, this api already there, it's just not documented and implemented as part of boto3:

{"method":"POST","path":"/identitystore/","headers":{"Content-Type":"application/json; charset=UTF-8","Content-Encoding":"amz-1.0","X-Amz-Target":"com.amazonaws.identitystore.AWSIdentityStoreService.SearchGroups","X-Amz-Date":"Mon, 07 Feb 2022 16:45:51 GMT","Accept":"application/json, text/javascript, */*"},"region":"eu-west-1","operation":"SearchGroups","contentString":"{\"IdentityStoreId\":\"d-<id>\",\"NextToken\":null}"}

And response:

{
    "Groups": [
        {
            "DisplayName": "<name>",
            "GroupAttributes": {
                "description": {
                    "StringValue": "<value>"
                }
            },
            "GroupId": "<guid>",
            "Meta": {
                "..."
            }
        },
        {
            "DisplayName": "<name>",
            "GroupAttributes": {
                "description": {
                    "StringValue": "<text>"
                }
            },
            "GroupId": "<...>",
            "Meta": {
                "..."
            }
        }
    ],
    "TotalGroupCount": 2
}

[ramendola]

+1

[demetriusmoro]

Actually, this api already there, it's just not documented and implemented as part of boto3:

{"method":"POST","path":"/identitystore/","headers":{"Content-Type":"application/json; charset=UTF-8","Content-Encoding":"amz-1.0","X-Amz-Target":"com.amazonaws.identitystore.AWSIdentityStoreService.SearchGroups","X-Amz-Date":"Mon, 07 Feb 2022 16:45:51 GMT","Accept":"application/json, text/javascript, */*"},"region":"eu-west-1","operation":"SearchGroups","contentString":"{\"IdentityStoreId\":\"d-<id>\",\"NextToken\":null}"}

And response:

{
    "Groups": [
        {
            "DisplayName": "<name>",
            "GroupAttributes": {
                "description": {
                    "StringValue": "<value>"
                }
            },
            "GroupId": "<guid>",
            "Meta": {
                "..."
            }
        },
        {
            "DisplayName": "<name>",
            "GroupAttributes": {
                "description": {
                    "StringValue": "<text>"
                }
            },
            "GroupId": "<...>",
            "Meta": {
                "..."
            }
        }
    ],
    "TotalGroupCount": 2
}

It does work, but the documentation describes a limitation that may block production use, depends on your use case.

You can use the /Groups endpoint to filter queries on a list of existing groups by making a GET request with additional filter information. Only a maximum of 50 results can be returned. See the Constraints section for a list of available filters.

Source: https://docs.aws.amazon.com/singlesignon/latest/developerguide/listgroups.html.

[mmfoote]

The issue is to get the list of users inside a group, so the above doesn't help at all?

[ignat-spark]

Most likely similar api exists for users, since console can’t work without it.

[pkit]

It does work, but the documentation describes a limitation that may block production use, depends on your use case.

Reverse engineering how actual AWS Console does it: it has pagination built in. See MaxResults and NextToken below.

{"method":"POST","path":"/identitystore/","headers":{"Content-Type":"application/json; charset=UTF-8","Content-Encoding":"amz-1.0","X-Amz-Target":"com.amazonaws.identitystore.AWSIdentityStoreService.SearchUsers","X-Amz-Date":"Tue, 15 Feb 2022 16:40:39 GMT","Accept":"application/json, text/javascript, */*"},"region":"us-east-1","operation":"SearchUsers","contentString":"{\"IdentityStoreId\":\"d-1111111\",\"MaxResults\":25,\"NextToken\":null}"}

[pkit]

@kdaily Looks like a political decision to me. As it's clear that actual AWS Console uses these APIs just fine.

[brucewroberts]

This isn't a feature request, this is a bug. This is just broken functionality - the list-users and list-groups functionality just do not work. We're now about 13 months after the original report. Why is this so hard to implement? The console can certainly get this data, so it's clearly talking to the appropriate backing store directory services.

You'd be better off just removing the functions so developers don't keep trying to make it work like it should and wasting time on it.

[christiangda]

This is an incredibly hard limit imposed by the AWS SSO Team not just to the AWS Identity Store API the same happens tho the AWS SSO SCIM Implementation that only support get maximun 50 entities and without any kind of pagination to retrieve more data.

In my case the identitystore Go SDK V2 doesn't work neither because the filter doesn't support wildcards or other mechanisms.

    awsConf, err := config.LoadDefaultConfig(context.TODO())
    if err != nil {
        log.Fatal(err)
    }

    ids := identitystore.NewFromConfig(awsConf)

    lui := &identitystore.ListUsersInput{
        Filters: []types.Filter{
            {
                AttributePath:  aws.String("UserName"),
                AttributeValue: aws.String("*"), // neither  aws.String("")
            },
        },
        IdentityStoreId: aws.String("d-xxxxxxxxxx"),
    }

    lup := identitystore.NewListUsersPaginator(ids, lui)

    pageNum := 0
    for lup.HasMorePages() && pageNum < 5 {
        output, err := lup.NextPage(context.TODO())
        if err != nil {
            log.Printf("error: %v", err)
        }
        for _, value := range output.Users {
            log.Printf("%s users found",  value)
        }
        pageNum++
    }

So, after 1 year and counting , is the AWS Team going to fix this?

[truedays]

I needed a one-time pull of all User/Group IDs. So I can reference the UID/GIDs within --principal-id for create-account-assignment. Hope this helps someone else until there's an actual fix.

With the UserIDs/Group IDs included within the links in the table. I used javascript to export all the IDs. I Increased the page size to 100 (max) and inject the below JavaScript in devTools console to get what I need.

1.) Open AWS SSO > Users / Groups

2.) Open the developer console window in Chrome.

use the keyboard shortcut Ctrl + Shift + J or Ctrl + Option + J

3.) Init a variable: var IDS = "";

4.) Run the following for EACH page of users/groups you have: for (let i = 1; i < document.getElementsByTagName("table")[0].rows.length; i++) { IDS = IDS + document.getElementsByTagName("table")[0].rows[i].innerHTML.match('(\/groupDetails\/[^"]*|\/userDetails\/[^&]*)')[0].split('/')[2].replace('userId=','') + "," + document.getElementsByTagName("table")[0].rows[i].innerText.match('([A-Za-z0-9-][^\t]*)')[1].split(',')[0] + '\n'; };

5.) Print the complete list of IDs and Names in console: (If your output is large, Chrome should offer to show more or click "Copy" to simply copy everything) console.log(IDS);

[edcrampin]

+1

Can confirm @truedays approach is working for a manual work-around.

[jordanenglish]

Thanks, @truedays for your code. We were able to use it to find other values we needed. Should be able to copy/paste this into browser console in one step.

const table = document.getElementsByTagName("table")[0];

const IDS = [];

for (
  let i = 1;
  i < table.rows.length;
  i++
) {
  const userId = table.rows[i].innerHTML
    .match('(/groupDetails/[^"]*|/userDetails/[^&]*)')[0]
    .split("/")[2]
    .replace("userId=", "");
  const userName = table.rows[i].innerText
    .match("([A-Za-z0-9-][^\t]*)")[1]
    .split(",")[0]

  const createdBy = table.rows[i].getElementsByTagName('td')[4].innerText;

  IDS.push(`${userId},${userName},${createdBy}`);
}

console.log(IDS.join("\n"));