How can I troubleshoot the "Refused to create a new, duplicate resource" error with IAM Identity Center SCIM provisioning?
I used System for Cross-domain Identity Management (SCIM) provisioning for users and groups with AWS IAM Identity Center. The SCIM or automatic provisioning failed with the error "Refused to create a new, duplicate resource."
Short description
This error occurs because the username, email address, or external ID attributes aren't a unique value. This error can also occur when the display name or external ID isn't a unique value for groups. For more information, see Considerations for using automatic provisioning.
Resolution
To resolve this error, use your identity store ID to search for the duplicate attribute. Then, complete the following steps to reprovision the user or group or delete and create new ones.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
In the following AWS CLI commands, replace these values:
- YOUR-REGION with your AWS Region
- YOUR-IDENTITY_STORE_ID with your identity store ID
- YOUR-USER-NAME with your username
- YOUR-EMAIL-ADDRESS with your email address
- YOUR-EXTERNAL-ID with your external ID
- YOUR-TENANT_ID with your tenant ID
- YOUR-GROUP-NAME with your group name
Get your identity store ID
Run the list-instances command:
aws sso-admin list-instances --region "YOUR-REGION"
Example output:
{ "Instances": [ { "CreatedDate": "...", "IdentityStoreId": "IDENTITY-STORE-ID", "InstanceArn": "...", "OwnerAccountId": "...", "Status": "ACTIVE" } ] }
Note the identity store ID value to use in a later step.
Get your tenant ID
Complete the following steps:
- Open the IAM Identity Center console.
- In the navigation pane, choose Settings.
- From Identity source, choose the Actions dropdown list.
- Choose Manage provisioning.
- From Configuration, copy the SCIM endpoint URL.
The SCIM endpoint URL is in the following format: https://scim.YOUR-REGION.amazonaws.com/YOUR-TENANT-ID/scim/v2/.
Troubleshoot user provisioning
To search for existing users by username, email address, or external ID, run the get-user-id command.
Search by username
Run the following command:
aws identitystore get-user-id --identity-store-id "YOUR-IDENTITY_STORE_ID" --alternate-identifier '{"UniqueAttribute" : {"AttributePath": "userName","AttributeValue": "YOUR-USER-NAME"}}' --region "YOUR-REGION"
Search by email address
Run the following command:
aws identitystore get-user-id --identity-store-id "YOUR-IDENTITY-STORE-ID" --alternate-identifier '{"UniqueAttribute": {"AttributePath":"emails.value", "AttributeValue": "YOUR-EMAIL-ADDRESS"} }' --region "YOUR-REGION"
Search by external ID
aws identitystore get-user-id --identity-store-id "YOUR-IDENTITY-STORE-ID" --alternate-identifier '{"ExternalId" : {"Issuer": "https://scim.aws.com/YOUR-TENANT-ID", "Id": "YOUR-EXTERNAL-ID"}}' --region "YOUR-REGION"
Example user ID and identity store ID output with the same unique attribute:
{ "UserId": "YOUR-USER-ID", "IdentityStoreId": "YOUR-IDENTITY-STORE-ID" }
If no user ID or identity store ID is found, then you receive an error similar to the following one:
"An error occurred (ResourceNotFoundException) when calling the GetUserId operation: USER not found."
Reprovision the user
After you identified the duplicate attribute, either reprovision the user with a different attribute or delete the user and create a new one.
Important: To help you provision, contact your identity provider (IdP).
To use the AWS Management Console to delete a user, see Delete users in IAM Identity Center.
To use the DeleteUser API action to delete a user, run the delete-user command:
aws identitystore delete-user --identity-store-id "YOUR-IDENTITY-STORE-ID" --user-id "YOUR-USER-ID" --region "YOUR-REGION"
Note: After you delete a user, you can't undo the action, and you must recreate assignments on the new user.
Troubleshoot group provisioning
To search for existing groups by display name or external ID, run the get-group-id command.
Search by display name
Run the following command:
aws identitystore get-group-id --identity-store-id "IDENTITY-STORE-ID>" --alternate-identifier '{"UniqueAttribute" : {"AttributePath": "displayName","AttributeValue": "YOUR-GROUP-NAME"}}' --region "YOUR-REGION"
Search by external ID
Run the following command:
aws identitystore get-group-id --identity-store-id "IDENTITY-STORE-ID" --alternate-identifier '{"ExternalId" : {"Issuer": "https://scim.aws.com/YOUR-TENANT-ID", "Id": "YOUR-EXTERNAL-ID"}}' --region "YOUR-REGION"
Example group ID and identity store ID output with the same unique attribute:
{ "GroupId": "GROUP-ID", "IdentityStoreId": "IDENTITY-STORE-ID" }
If no display name or external ID is found, then you receive an error similar to the following one:
"An error occurred (ResourceNotFoundException) when calling the GetGroupId operation: GROUP not found."
Reprovision the group
After you identified the duplicate attribute, either reprovision the group with a different attribute or delete the group and create a new one.
Important: To help you provision, contact your IdP.
To use the AWS Management Console to delete a group, see Delete groups in IAM Identity Center.
To use the DeleteGroup API action to delete a group, run the delete-user command:
aws identitystore delete-group --identity-store-id "YOUR-IDENTITY-STORE-ID" --group-id "YOUR-GROUP-ID" --region "YOUR-REGION"
Note: After you delete a group, you can't undo the action, and you must recreate the assignments on the new group.
Related information
How to create and manage users within AWS IAM Identity Center
Relevant content
- asked a year ago
- asked 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
