Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
aws identitystore describe-user cli command failed: ResourceNotFoundException
Hi all
I ran the following cli command in the SSO delegated administrator account which has the AWS Identity Center:
aws identitystore describe-user --identity-store-id d-c12341f123 --user-id 12abcdef-1212-
The error message is as follows:
An error occurred (ResourceNotFoundException) when calling the DescribeUser operation: IdentityStore not present for IdentityStoreId: d-c12341f123
I ran the same cli command in the management account and it succeeded. It's only working in the management account, not in the delegated administrator account?
Thanks.
- Newest
- Most votes
- Most comments
The issue you're experiencing is related to the access permissions for the AWS Identity Store API in different accounts. While the AWS Identity Center (formerly AWS SSO) is set up in your delegated administrator account, it appears that the Identity Store API access is restricted to the management account in your case.
By design, the Identity Store API operations, including the describe-user command, can be accessed from the management account. However, for member accounts (including delegated administrator accounts), access to these operations is limited and requires specific configuration.
To resolve this issue and allow the describe-user command to work in your delegated administrator account, you need to ensure that access to the identity store from member accounts is properly configured. This involves setting up the necessary permissions and policies in IAM Identity Center.
If you need to use the Identity Store API operations from the delegated administrator account, you may need to review and adjust your IAM Identity Center configuration. Ensure that the delegated administrator account has the appropriate permissions to access the identity store data.
If you continue to face issues after verifying the permissions, it's recommended to double-check the identity store ID you're using and ensure it's correct for your IAM Identity Center instance. You may also want to confirm that the user ID you're querying exists in the identity store.
For immediate access to user information, you can continue using the management account to run the describe-user command until you resolve the access issue in the delegated administrator account.
Sources
DescribeUser - Identity Store
identitystore — AWS CLI 2.27.8 Command Reference
Hi,
The error suggests that the identity store ID you provided (d-c12341f123) does not exist or is not accessible in your AWS account.
Using AWS CLI, you can get this information by describing your Identity Center instance:
[+] aws sso-admin list-instances
Once you have the correct identity store ID, you can then use the following command to view the list of users.
[+] aws identitystore list-users --identity-store-id <your-identity-store-id>
Relevant content
- asked 3 years ago
