Enhance Handling of Deleted users.

[scott-dunt]

AWESOME Tool.. Love it.. Getting some interesting results from the aws-sso-util admin assignments command.

Some rows returned have a blank principal_name. Which I have tracked down to users that were deleted from the 'Users' section of SSO - IAM.. BUT, those users (with username) show up in the 'AWS Organizations: AWS accounts' section of the console.

I can ID some of the entries by name, and when I click on them in the 'accounts' section of the console, the screen: IAM Identity Center > Users > {UserId} comes up, but it shows the user id as blank, Status as 'Disabled', etc.

In the 'Users' portion of the SSO - IAM console you can't find the user. But, back on the IAM Identity Center > AWS Organizations: AWS accounts > {Account Name}` screen it DOES show an email address.

Is it possible for your tool, when it finds one of these UserID's that are included in an 'account' list, but NOT in the Users list to flag the entry as deleted? maybe the principal_name field could say: `DELETED - username'.. That assumes that the API's will even do that..

We are a small enough shop that I can generally find and clean these users up, but it would be nice to use the aws-sso-util admin assignments command as a check to make sure I got rid of all of the 'deleted' users.

[scott-dunt]

P.s. Seems I also have a 'deleted' group out here and its fun, because when i click on it in the 'accounts' screen it throws an error..

[benkehoe]

What does the output of identitystore.DescribeUser or DescribeGroup look like for them? https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_DescribeUser.html

Those APIs are what's used to look up the info, but I'd need to know what the response looks like for you to add code to handle it.

[scott-dunt]

aws identitystore describe-user --identity-store-id xxxxxxxxxxx --user-id xxxxxxxxxxxxxxxxxxxxxxxxxxx

An error occurred (ResourceNotFoundException) when calling the DescribeUser operation: USER not found.

The fun part is that the ID shows up in: aws sso-admin list-account-assignments \ --instance-arn arn:aws:sso:::instance/ssoins-xxxxxxxxxxxxxxxxxxx \ --account-id xxxxxxxxxxxxxx \ --permission-set-arn arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

{ "AccountId": "xxxxxxxxxxxxxxxxxxx", "PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", "PrincipalType": "USER", "PrincipalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" },

it maybe a limitation of the API. I would LOVE to know what call the AWS console is making to display this screen which includes the Username.. Clicking on the user link cannot find the INFO. and the list-account API does not provide the username either.

The Link on that page has the 'correct userId and directoryId, which of course returns blank information. There must be a separate Username field in the accounts section that the API's won't return the value of..

[benkehoe]

I think the current behavior is probably the right one. If it's returned by ListAccountAssignments (the API we're using) then we should assume it's a valid assignment. If DescribeUser returns ResourceNotFound, the current behavior, which is just to not populate the name, I think is probably best. We don't really know why it's not found; could be deleted, could be eventual consistency, etc. If it returned, say, "Status: DELETED", I think that's when we could put something different in the list_assignments output.

You're saying they're not in the list of users returned by identitystore.ListUsers? I think it's probably a bad idea, performance-wise, to enumerate all users to check against the assignments, especially because there's no guarantee of the two list operations having no modifications between them.

If you've got a support plan, I'd suggest maybe raising this inconsistency with them. It does make sense that deleted users shouldn't show up in the list of assignments.