awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
528 stars 182 forks source link

googleapi Error 400, query invalid #148

Closed jmthomas73 closed 8 months ago

jmthomas73 commented 1 year ago

After following the setup twice, including once with consultants from our managed service provider, the Lambda is giving the following error in CloudWatch:

{ "level": "fatal", "msg": "Notifying Lambda and mark this execution as Failure: googleapi: Error 400: Invalid Input: query, invalid", "time": "2023-09-14T21:31:27Z" }

Steps as above. We followed directly the AWS GSuite instructions, and then the Github Readme instructions.

Expected results were for it to start populating users

We have manually created a user to validate that IAM Identity Center is functioning correctly - we can log in to our access portal URL just fine and get to the console with that manual account, but users and groups aren't populating because of the above.

Fully willing to accept this is something I've screwed up, but we've now done it twice with better trained eyes than mine watching every step, only to get the same result, so if it is me, maybe it's a documentation improvement step?

ChrisPates commented 1 year ago

That error is coming from the Google admin api. Which means there is something incorrect about the query string. The rest of the setup may well correct.

Can you provide it here.

Kind regards,

Chris

On 14 Sep 2023, at 22:41, jmthomas73 @.***> wrote:



After following the setup twice, including once with consultants from our managed service provider, the Lambda is giving the following error in CloudWatch:

{ "level": "fatal", "msg": "Notifying Lambda and mark this execution as Failure: googleapi: Error 400: Invalid Input: query, invalid", "time": "2023-09-14T21:31:27Z" }

Steps as above. We followed directly the AWS GSuite instructions, and then the Github Readme instructions.

Expected results were for it to start populating users

We have manually created a user to validate that IAM Identity Center is functioning correctly - we can log in to our access portal URL just fine and get to the console with that manual account, but users and groups aren't populating because of the above.

Fully willing to accept this is something I've screwed up, but we've now done it twice with better trained eyes than mine watching every step, only to get the same result, so if it is me, maybe it's a documentation improvement step?

— Reply to this email directly, view it on GitHub https://github.com/awslabs/ssosync/issues/148 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ABVULYPXPGWNDAKBSNU74EDX2N2XPANCNFSM6AAAAAA4Y4W5C4 . You are receiving this because you are subscribed to this thread. https://github.com/notifications/beacon/ABVULYKBVVIUYYQYA7N7C5LX2N2XPA5CNFSM6AAAAAA4Y4W5C6WGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHHCFZJG4.gif Message ID: @.***>

fdansey-ostmodern commented 1 year ago

I can reproduce the issue.

I have set up SSOSync 2.0.3 via AWS CDK, using the CfnApplication construct.

When the lambda function is invoked (LogLevel = info), I see the following: {"level":"fatal","msg":"Notifying Lambda and mark this execution as Failure: Get \"https://admin.googleapis.com/admin/directory/v1/groups?alt=json\u0026customer=my_customer\u0026prettyPrint=false\u0026query=name%!A(MISSING)AWS%!A(MISSING)\": oauth2: cannot fetch token: 400 Bad Request\nResponse: {\n \"error\": \"invalid_grant\",\n \"error_description\": \"Not a valid email or user ID.\"\n}","time":"2023-10-14T11:04:00Z"}

It looks like the API URL for Google Admin is being formatted incorrectly: instead of

The function is sending,

Running the latest version (latest commit is 014accf) of the CLI works fine for me.

jmthomas73 commented 1 year ago

Sorry if this is a dumb question, but is there an easy way to replace our broken 2.03 version that was deployed from the lambda application thing with the code of that commit, or alternatively, do we know when the next version that includes this will be out?

ChrisPates commented 1 year ago

Have you tried deploying the application directly from the serverless application repository? I personally wouldn't build or deploy from the github repo, when you can pull a release version, that has been through the CICD pipeline from the SAR for far less effort.

jmthomas73 commented 1 year ago

The SAR is the only way we've done it so far, but my understanding is that the fix for my issue is in a commit that hasn't gone through that pipeline yet, correct?

ChrisPates commented 1 year ago

I've just compared the current head on main with the v2.0.3 tag and the only changes are in the README and some ancillary scripts, changes have been made to the go.lang executable itself. Given that the release pipeline runs tests using a very similar configuration to yours, I would suspect that your are seeing a configuration issue. Can you share the values (excluding credentials or secrets) that you specified in the SAR deployment.

Thanks

fdansey-ostmodern commented 1 year ago

I am using these CfnApplication parameters:

GoogleAdminEmail: "xxx@xxx.co.uk",
GoogleCredentials: <Google Service account credentials JSON>,
GoogleGroupMatch: "name:<My prefix>*",
IdentityStoreID: "d-xxxxxxxxxx",
LogLevel: "info",
Region: "eu-west-1",
SCIMEndpointAccessToken: <SCIM access token>,
SCIMEndpointUrl: "https://scim.eu-west-1.amazonaws.com/xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/scim/v2/",
ScheduleExpression: "rate(1 day)",
SyncMethod: "groups",

with this applicationLocation:

applicationId: "arn:aws:serverlessrepo:us-east-2:004480582608:applications/SSOSync",
semanticVersion: "2.0.3",
emmanuelnk commented 7 months ago

For anyone who may land on this error, another possible cause is using a service account email instead of an actual google admin email. The email used for GoogleAdminEmail has to have SuperAdmin role else you can also get the above error.

I think its important to explicitly state in the docs what role the GoogleAdminEmail needs to work.