awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda
Apache License 2.0
530 stars 182 forks source link

Lambda Function Failing with 401 Error After Updating SCIM Access Token #198

Closed marvingoetz closed 5 months ago

marvingoetz commented 5 months ago

After our IAM Identity Center SCIM Access Token expired, we created a new one and updated it within the CloudFormation template. The stack was successfully updated with the new SCIM Access Token parameter value. However, since the update, the Lambda function has been failing with the following error messages:

{
  "level": "error",
  "msg": "error getting active status for user 736...",
  "time": "2024-06-06T07:36:02Z"
}
{
  "level": "fatal",
  "msg": "Notifying Lambda and mark this execution as Failure: status of http response was 401",
  "time": "2024-06-06T07:36:02Z"
}

Is there any additional step required beyond replacing the Access Token to resolve this issue? For example on google site? We would appreciate any guidance on troubleshooting or potential fixes to ensure the Lambda function operates correctly with the new SCIM Access Token.

ChrisPates commented 5 months ago

There are two scenarios I have seen here. Guidance on the IAM Identity Center scim api token management (docs) First is that on occasion folk copy and paste the shorter SCIM token id string into the CloudFormation form instead of the the key value. You will only be displayed the token value once and it is much longer value than the token id which can be viewed anytime in the IAM Identity Center console.

The other scenario, is when you updated the CloudFormation stack did you perhaps, intentionally or inadvertently upgrade from a 1.x version of ssosync to a 2.x build? As 2.x also needs an IAM role and to be run within the management account or a linked account with delegated access, because it use the Identity Store apis in-addition to the SCIM api on the aws side.

You can obtain more detailed information by increasing the logging level to debug (either on the CloudFormation Stack or directly in the environment variables on the Lambda.

Can you also share how you have deployed ssosync, logs mention AWS Lambda so I'm guessing its either from the Serverless Application Repositories (SAR) which is the recommend method or via SAM cli.