Groups not syncing: invalid character '*' looking for beginning of value
Pitta opened this issue · 10 comments
Describe the bug
After initial config/setup, I'm getting the following error:
{
"level": "fatal",
"msg": "Notifying Lambda and mark this execution as Failure: invalid character '*' looking for beginning of value",
"time": "2023-08-17T18:14:03Z"
}
This is coming from the deployed application in AWS
To Reproduce
Steps to reproduce the behavior:
- deploy app via marketplace
- use
name:*for GoogleUserMatch - use
name:com-aws-*for GoogleGroupMatch - shouldnt need to fill in IncludeGroups, but i cant leave it blank.... so
name:com-aws-*
See error logs
Expected behavior
The any group with the prefix com-aws- synced to AWS IAM Identity Center, along with any members of those groups.
Additional context
I've got a bunch oof users synced, but no groups.
So how do people target any users in a group without name:*?
This may just me being super thick here, but the docs are not clear enough for me to discern basic functionality here.
Am I using the native SCIM sync just for users based on thier assignment to the app, and then JUST using this tool to sync groups? If so, can I just slap anything in the user search field since it is being handled elsewhere? How would this know to add the synced users to the synced groups?
I appreciate your responses!
We tried doing user + group sync natively with SCIM and the built in functionality in AWS, but we got direct confirmation from AWS that groups are still not supported natively yet. They directed me to this tool, that was supposedly maintained by AWS.
How would you suggest I send nothing to fields that are marked as "required"?
To add to my confusion, the official AWS documentation on using this tool has contradictory information to your suggestions here.
Specifically...
SSOSyncFunction
GoogleGroupMatch : name:*
GoogleUserMatch : name:*
IgnoreGroups : none
IgnoreUsers : none
IncludeGroups : *
LogFormat : leave as default
LogLevel : leave as default
ScheduleExpression : leave as default
SyncMethod : leave as default
I've redeployed the whole thing, using some sane queries for the fields that are required but skipped. Getting 403's now so I have some other setup to suss out now.
Thank you for your help here. We can close this now if appropriate.
Wanted to jump in here and follow up.
I JUST got this working. After the config tweaks you suggested I was able to work with the privilege issues on the google side and finally got a syncing group!
Thank you again @ChrisPates for your help and patience.
I did want to add, updating the application in AWS by updating the running stack and editing the values in the config is fraught with issue. When updating a value, if any of the others are showing up masked with *, it will APPLY * TO THOSE VALUES!. So when updating, I went in and re-pasted everything in, otherwise I'd keep getting the same error in my initial issue description.
Also - values that are "only needed if using a different strategy" are still requited to fill in. I know this is probably a CloudFormation dependency, but it might be a good idea to have a default value that the app knows to ignore pre-populated instead of the current flow which is not ideal.
So these are the parameter that should appear in that lab.
SSOSyncFunction
GoogleGroupMatch : name:AWS*
GoogleUserMatch : *
IgnoreGroups : none
IgnoreUsers : none
IncludeGroups : *
LogFormat : leave as default
LogLevel : leave as default
ScheduleExpression : leave as default
SyncMethod : leave as default
However, the screenshots are also of a significantly earlier release of ssosync. So I'm looking to get that lab updated and end to end tested.
I concur on the defaults, I'm going to update them to the above.
Since this the parameter validation has been overhauled and should provide better guidance and allow for empty fields where appropriate.