identitystore describe-user: get enabled/disabled status

[lge-micropole]

Describe the feature

Using the aws identitystore describe-user command, the enabled/disabled (active) status of the user should be in the response.

Use Case

Internal Audit team wants a regular report about who has access to our AWS infrastructure. In order to automate the reporting, a programmatic access for the enable/disable status of SSO users should be accessible.

Proposed Solution

Add the active status information to the response

Other Information

It seems that this information is available through a scim endpoint, but I have no idea how to use it in context of a cli command (cf: https://docs.aws.amazon.com/singlesignon/latest/developerguide/listusers.html )

Acknowledgements

• [ ] I may be able to implement this feature request
• [ ] This feature might incur a breaking change

CLI version used

aws-cli/2.9.22

Environment details (OS name and version, etc.)

Python/3.9.11 Windows/10 exe/AMD64 prompt/off

[tim-finnigan]

Thanks @lge-micropole for the feature request. This request would need to get rerouted to the IdentityStore team as they own the underlying APIs. We generally recommend reaching out through AWS Support with API feature requests for more direct escalation if you have a support plan, but we can also forward these requests on your behalf.

I'll transfer this issue to our cross-SDK repository and reach out to the IdentityStore team to see if they would consider adding active (status) to the response of the DescribeUser API. If there are any further details you'd like to share related to this please let us know.

[tim-finnigan]

P81584766

[amoreau507]

Hi, where would it be possible to see the tracking of this feature request?

I also need to retrieve the status of a user and be able to change it if necessary.

I am using the latest version of java sdk.

[tim-finnigan]

@amoreau507 I just pinged the service team for an update and plan to post any new info here. If you have an AWS Support plan you can also reach out directly.

[tim-finnigan]

Linking another request here: https://github.com/boto/boto3/issues/3691. Still trying to get more info on service team as to whether they will consider adding Status: Enabled | Disabled to the DescribeUser API response. In https://github.com/boto/boto3/issues/3691 there was also the request to add CreatedBy to the API response as that is also displayed in the Console.

[budbach]

+1

[opp-svega]

+1

[rsilvestre]

+1

[simon-kneipe]

+1

[cburdgeopploans]

+1

[georg-ikegps]

+1

[andres-ortiz]

+1

[tiagoasousa]

+1

[denpolischuk]

+1

[mimatache]

+1

[uakram11]

+1

[ryandiamond23]

+1

[tim-finnigan]

Hi all, thanks for your patience and feedback. We heard back from a member of the IdentityStore team and they have acknowledged the feature request but it is not currently on their roadmap. We recommend reaching out through AWS Support if you have a support plan to "+1" the request and help the team gauge demand for this feature.

I'm going to close this issue as the IdentityStore team has noted the feature request and is continuing to track it, and there is nothing that the SDK teams can do in the meantime on this issue. I can forward feedback to the IdentityStore team if anyone has additional information to share regarding use cases. Also feel free to check back in the future for updates on the status of this feature request.

[github-actions[bot]]

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

[eze1981]

Created the following workaround with Google Bard. It can download the list of users from the AWS console as a CSV file. So, it can include the user status and any other column available on the web console. You have to run it page by page on the web browser's console and then compile the CSV files.

Steps

1. Access the AWS IAM Identity Center console
2. On the left menu, click on Users
3. On the user's table preferences, select Show up to 100 users and select the visibility of the columns to export
4. Open your web browser developer's tools and copy and paste the code below on the browser's console. After running the code below, the converted CSV file will be downloaded to your computer in the browser's Downloads section.

// Function to export an HTML table to CSV.
function exportCSV(table) {
  // Get all the rows in the table.
  const rows = table.querySelectorAll("tr");

  // Create a new CSV string.
  const csv = [];

  // Iterate over the rows and add each row's data to the CSV string.
  for (const row of rows.values()) {
    // Get all the cells in the row.
    const cells = row.querySelectorAll("td, th");

    // Create a new row in the CSV string.
    const rowText = Array.from(cells).map((cell) => cell.innerText);

    // Join the row's data with commas.
    csv.push(rowText.join(","));
  }

  // Create a new Blob object from the CSV string.
  const csvFile = new Blob([csv.join("\n")], {
    type: "text/csv;charset=utf-8;",
  });

  // Create a download link for the Blob object.
  const link = document.createElement("a");
  link.href = URL.createObjectURL(csvFile);
  link.download = "data.csv";

  // Trigger a click event on the download link to download the CSV file.
  link.click();
}

// Get table 
usersTable = document.querySelector('#sso-users-main-table').querySelector('table');

// Export table's data as CSV in the browser's Downloads
exportCSV(usersTable);

5. Repeat step 4 for every page.

[adam-kiss-sg]

Another workaround, that can be automated, in case some1 stumbles here as I did. Of course would be much simpler if the aws team managed to add a single response field in 8 months...

Anyway, reverse-engineering the api call made on the aws console, here is a small script in ts (but you should be able to translate it to your language of choice as long as you can find a lib for aws v4 signing):

import { SignatureV4 } from '@smithy/signature-v4'
import { Sha256 } from '@aws-crypto/sha256-js'

async function run() {
  const identityStoreId = 'd-**********'
  const region = 'us-east-1'

  const sigv4 = new SignatureV4({
    service: 'identitystore',
    region: region,
    credentials: {
      accessKeyId: '***',
      secretAccessKey: '***',
      sessionToken: '***',
    },
    sha256: Sha256,
  })
  const signed = await sigv4.sign({
    method: 'POST',
    hostname: `up.sso.${region}.amazonaws.com`,
    path: '/identitystore/',
    protocol: 'https',
    headers: {
      Accept: '*/*',
      'X-Amz-Target': 'AWSIdentityStoreService.SearchUsers',
      'Content-Type': 'application/x-amz-json-1.1',
      host: `up.sso.${region}.amazonaws.com`,
    },
    body: `{"IdentityStoreId":"${identityStoreId}","MaxResults":100}`,
  })
  // console.log(signed)
  const { body, status } = await fetch(`https://up.sso.${region}.amazonaws.com/identitystore/`, {
    ...signed,
  })
}

I'm not sure how to do pagination, we don't have many users and the aws console always uses MaxResults: 100.

[jk2l]

thanks for @adam-kiss-sg inspiration. i implemented python version. this don't have proper support for pagination too as i don't have 100 users

from botocore.auth import SigV4Auth
import requests
from botocore.awsrequest import AWSRequest
import botocore.session
import json

def fetch_all_users(identity_store_id, region):
    session = botocore.session.Session()
    sigv4 = SigV4Auth(session.get_credentials(), 'identitystore', region)
    endpoint = f'https://up.sso.{region}.amazonaws.com/identitystore/'
    data = json.dumps( {"IdentityStoreId":identity_store_id, "MaxResults":100 })
    headers = {
        'Content-Type': 'application/x-amz-json-1.1',
        'X-Amz-Target': 'AWSIdentityStoreService.SearchUsers'
    }
    request = AWSRequest(method='POST', url=endpoint, data=data, headers=headers)

    sigv4.add_auth(request)
    prepped = request.prepare()

    response = requests.post(prepped.url, headers=prepped.headers, data=data)
    return response

you will need to install botocore/boto3 and requests

[plumdog]

@tim-finnigan I propose that this issue be reopened as this has not been resolved.

I think that the SDK team could do better than "there is nothing that the SDK teams can do in the meantime on this issue".

In particular, two things spring to mind:

• note this limitation in the SDK's documentation. The SDK is where this issue is experienced by users, and that the SDK can't do something that the web console can do is clearly unexpected behaviour. And also document the workarounds and how to achieve them in each of the languages the AWS SDK supports. Maybe even add some functionality to simplify calling these semi-released API endpoints. Providing users with an escape hatch like this, even if it comes with "might break in the future" caveats would clearly be an improvement. Eg boto3.client('identitystore').unsupported.search_users(...).
• communicate updates from the relevant internal AWS team. It wasn't on their roadmap in August, is it now?

It might be that the SDK team does not want to do either of those tasks, but I think it could help users if it wanted to.

[tim-finnigan]

Hi @plumdog thanks for following up. This Identity Center team is still tracking this feature request - I don't have any updates other than that. We encourage customers with support plans to reach out through AWS Support to +1 this feature request so that the service team is more likely to prioritize it.

The service documentation for SDKS/tools is largely auto-generated by upstream API docs (for example, DescribeUser: https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html). There are Provide feedback links at the bottom of those pages, which you can use to send specific feedback to the appropriate team. If any API documentation changes get made, they will be reflected in the SDK documentation. The SDK teams themselves generally don't document workarounds or support escape hatches for something that the service team may support via their APIs in a future release.

[plumdog]

Hi @tim-finnigan, at the very top of the README for this project it says:

This repository is also used to track feature requests and issues that affect multiple AWS SDKs.

That applies to this issue. Accordingly, I think this issue should be reopened until it is resolved.

I'll raise this with AWS Support and see what happens.

[anvers]

Another workaround, that can be automated, in case some1 stumbles here as I did. Of course would be much simpler if the aws team managed to add a single response field in 8 months...

Anyway, reverse-engineering the api call made on the aws console, here is a small script in ts (but you should be able to translate it to your language of choice as long as you can find a lib for aws v4 signing):

import { SignatureV4 } from '@smithy/signature-v4'
import { Sha256 } from '@aws-crypto/sha256-js'

async function run() {
  const identityStoreId = 'd-**********'
  const region = 'us-east-1'

  const sigv4 = new SignatureV4({
    service: 'identitystore',
    region: region,
    credentials: {
      accessKeyId: '***',
      secretAccessKey: '***',
      sessionToken: '***',
    },
    sha256: Sha256,
  })
  const signed = await sigv4.sign({
    method: 'POST',
    hostname: `up.sso.${region}.amazonaws.com`,
    path: '/identitystore/',
    protocol: 'https',
    headers: {
      Accept: '*/*',
      'X-Amz-Target': 'AWSIdentityStoreService.SearchUsers',
      'Content-Type': 'application/x-amz-json-1.1',
      host: `up.sso.${region}.amazonaws.com`,
    },
    body: `{"IdentityStoreId":"${identityStoreId}","MaxResults":100}`,
  })
  // console.log(signed)
  const { body, status } = await fetch(`https://up.sso.${region}.amazonaws.com/identitystore/`, {
    ...signed,
  })
}

I'm not sure how to do pagination, we don't have many users and the aws console always uses MaxResults: 100.

i try to do pagination with this workaround

from botocore.auth import SigV4Auth
import requests
from botocore.awsrequest import AWSRequest
import botocore.session
import json

def fetch_all_users(identity_store_id, region):
    session = botocore.session.Session()
    sigv4 = SigV4Auth(session.get_credentials(), 'identitystore', region)
    endpoint = f'https://up.sso.{region}.amazonaws.com/identitystore/'
    headers = {
        'Content-Type': 'application/x-amz-json-1.1',
        'X-Amz-Target': 'AWSIdentityStoreService.SearchUsers'
    }

    all_results = []

    next_token = None
    while True:
        data = json.dumps({"IdentityStoreId": identity_store_id, "MaxResults": 100, "NextToken": next_token})
        request = AWSRequest(method='POST', url=endpoint, data=data, headers=headers)
        sigv4.add_auth(request)
        prepped = request.prepare()

        response = requests.post(prepped.url, headers=prepped.headers, data=data)
        response_data = response.json()

        all_results.extend(response_data.get('Users', []))

        next_token = response_data.get('NextToken')
        if not next_token:
            break

    return all_results
identity_store_id = "d-value111122233344"
region = "us-east-1"
all_users = fetch_all_users(identity_store_id, region)
print(all_users)

[iainelder]

A solution using the AWS CLI and Nick Frichette's collection of undocumented API models.

Works like the solutions from @anvers and @adam-kiss-sg.

Installation:

curl -S -s -X GET \
    'https://raw.githubusercontent.com/Frichetten/aws-api-models/main/models/identitystore-2019-11-01-json.json' \
| jq '
    .
    | .operations.SearchUsers.input |= {shape: "SearchUsersRequest"}
    | .operations.SearchUsers.output |= {shape: "SearchUsersResponse"}
' \
> identitystoreinternal.json

aws configure add-model \
--service-model file://identitystoreinternal.json  \
--service-name identitystoreinternal

Usage:

aws identitystoreinternal search-users \
--identity-store-id "d-..."  \
--endpoint-url https://up.sso.eu-central-1.amazonaws.com/identitystore/ \
| jq -c '.Users[] | {UserName, Active}'

Result:

{"UserName":"...","Active":true}
{"UserName":"...","Active":true}
...

(The issue is closed, but there's no official solution. This issue seems to be the first result people see via Google, so I share here for maximum community benefit.)

[andreif-funnel]

BTW, the session must have sso-directory:SearchUsers permissions.

Also, in eu-north-1 region the hostname is up-sso.eu-north-1.amazonaws.com as if this bizarre situation was not already bad enough.