awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
525 stars 181 forks source link

Error when attempting to delete Identity Store group #116

Closed jferris closed 1 year ago

jferris commented 1 year ago

I'm running the Lambda from the Serverless Application Repository. It attempts to delete one of the groups but fails with this message:

Notifying Lambda and mark this execution as Failure: AccessDeniedException: User: arn:aws:sts::X:assumed-role/serverlessrepo-X-ssosyn-SSOSyncFunctionRole-X/serverlessrepo-X-ssosync-go-SSOSyncFunction-X is not authorized to perform: identitystore:DeleteGroup on resource: arn:aws:identitystore::X:identitystore/d-X because no identity-based policy allows the identitystore:DeleteGroup action

I checked in IAM and confirmed that the policy does not include this action. It doesn't look like it's included in the template. I believe the DeleteGroup action needs to be added to the template and this issue would be resolved.

To Reproduce Steps to reproduce the behavior:

  1. Set up a new organization using AWS Control Tower.
  2. Deploy the SSO sync Lambda.
  3. SSO sync will attempt to delete a pre-existing group.

Expected behavior The group is successfully deleted.