Avoid deleting users on AWS SSO that were recreated on Google #59
Comments
|
This items has been merged into a more complete feature request Ensure all groups/user creates in IAM Identity Store are via SCIM api and populate externalId field #166, please review and provide feedback on that item. In that feature we are looking to improve matching and including fallback mechanisms to avoid delete/create where and update would be less disruptive. |
|
Make sense @ChrisPates |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem
Noticed that if we delete a user on the Google side and then recreate it with the exact same details the following occurs:
ssosync will consider that user as inactive based on the API response, hence deleting it from AWS SSO
https://github.com/awslabs/ssosync/blob/master/internal/sync.go#L70-L103
https://github.com/awslabs/ssosync/blob/master/internal/google/client.go#L64-L73
ssosync will then list all the active users and it will see that it needs to add again the user that has just been deleted in the previous step.
https://github.com/awslabs/ssosync/blob/master/internal/sync.go#L105-L152
At this stage user will have no permission sets assigned on AWS SSO, and this will happen every time we run ssosync.
Possible Solution
I believe that it would be beneficial to change the
SyncUsersfunction so it checks that all of the API returned deleted users are in fact inactive, and for the ones that are now active it just ignores them by building a new list of deleted users which we can iterate over just like its being done atm.The text was updated successfully, but these errors were encountered: