SSOSYNC doesn't work with `aws sso login`, only works with `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY`

awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda

Apache License 2.0

530 stars 182 forks source link

SSOSYNC doesn't work with `aws sso login`, only works with `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` #109

Closed omerls-pw closed 1 year ago

omerls-pw commented 1 year ago

Describe the bug One cannot execute ssosync when logged in to AWS with aws sso login. It only works when using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

To Reproduce Steps to reproduce the behavior:

login to AWS using aws sso login
execute ./ssosync -u user@domain.com -c ../credentials.json --log-level=debug -d --ignore-groups=$SSOSYNC_IGNORE_GROUPS -i $AWS_IDENTITY_STORE_ID -r $AWS_REGION
See error UnrecognizedClientException: The security token included in the request is invalid

Expected behavior work with both authentication methods.

ChrisPates commented 1 year ago

The recommended deployment pattern is a lambda from the serverless application repository into the delegated administration account for IAM Identity Center.

omerls-pw commented 1 year ago

I wanted to make sure that everything works before deploying to production.

What surprised me the most was that the users were synced using only SSOSYNC_SCIM_ACCESS_TOKEN and SSOSYNC_SCIM_ENDPOINT as identifiers, while Groups weren't.

ChrisPates commented 1 year ago

So at this time groups and group memberships are being created via the identityStore api, whilst users via the scim api.

ChrisPates commented 1 year ago

Improving guidance in the attached fix.