I'm running the Lambda from the Serverless Application Repository. It attempts to delete one of the groups but fails with this message:
Notifying Lambda and mark this execution as Failure: AccessDeniedException: User: arn:aws:sts::X:assumed-role/serverlessrepo-X-ssosyn-SSOSyncFunctionRole-X/serverlessrepo-X-ssosync-go-SSOSyncFunction-X is not authorized to perform: identitystore:DeleteGroup on resource: arn:aws:identitystore::X:identitystore/d-X because no identity-based policy allows the identitystore:DeleteGroup action
I checked in IAM and confirmed that the policy does not include this action. It doesn't look like it's included in the template. I believe the DeleteGroup action needs to be added to the template and this issue would be resolved.
To Reproduce
Steps to reproduce the behavior:
Set up a new organization using AWS Control Tower.
Deploy the SSO sync Lambda.
SSO sync will attempt to delete a pre-existing group.
Expected behavior
The group is successfully deleted.
I'm running the Lambda from the Serverless Application Repository. It attempts to delete one of the groups but fails with this message:
I checked in IAM and confirmed that the policy does not include this action. It doesn't look like it's included in the template. I believe the
DeleteGroup
action needs to be added to the template and this issue would be resolved.To Reproduce Steps to reproduce the behavior:
Expected behavior The group is successfully deleted.