By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSM Document to disable AWS Identity Center users error: "Invalid API name: UpdateUser"

0

Hi all

I created a Systems Manager document to disable AWS Identity Center users as follows. But, I encountered, "Invalid API name: UpdateUser" error. What could go wrong? For the service, I tried both "sso" and "identitystore". Neither of them worked. Same error.

I can see Identity Store supports UpdateUser API - https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_UpdateUser.html.

schemaVersion: '0.3'
description: Disable an AWS Identity Center user using AutomationAssumeRole
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
  IdentityStoreId:
    type: String
    description: Identity Store ID
  UserId:
    type: String
    description: User ID to disable
  AutomationAssumeRole:
    type: String
    description: IAM Role ARN to assume
mainSteps:
  - name: DisableUser
    action: aws:executeAwsApi
    isEnd: true
    inputs:
      Service: sso
      Api: UpdateUser
      IdentityStoreId: '{{ IdentityStoreId }}'
      UserId: '{{ UserId }}'
      Operations:
        - AttributePath: active
          AttributeValue: 'false'
Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Systems ManagerAWS IAM Identity Center
Language
English
profile picture
Sonic
asked 17 days ago36 views
1 Answer
-1

The error you're encountering is due to an incorrect configuration in your Systems Manager Automation document. The issue lies in the specification of the AWS service and API name in the aws:executeAwsApi action.

For AWS Identity Center (formerly known as AWS SSO) operations, you need to use the Identity Store API, which is a separate service from the main SSO service. The correct service name to use is "identitystore", not "sso".

Additionally, the UpdateUser API in the Identity Store service doesn't directly support disabling a user by setting an "active" attribute to false. Instead, you would typically update the user's status using a different approach.

To resolve this issue, you should modify your Automation document as follows:

  1. Change the Service parameter from "sso" to "identitystore".
  2. Instead of using UpdateUser, use the appropriate API call to update the user's status. The exact API may depend on how user statuses are managed in your Identity Center configuration.

Here's an example of how you might modify the DisableUser step:

  - name: DisableUser
    action: aws:executeAwsApi
    isEnd: true
    inputs:
      Service: identitystore
      Api: UpdateUser
      IdentityStoreId: '{{ IdentityStoreId }}'
      UserId: '{{ UserId }}'
      UserName: '{{ UserName }}'
      Status: DISABLED

Note that this is a conceptual example, and the exact parameters and values may need to be adjusted based on the specific API requirements and your Identity Center configuration.

Also, ensure that the IAM role specified in AutomationAssumeRole has the necessary permissions to perform operations on the Identity Store service.

If you continue to face issues, you may need to consult the AWS Identity Store API documentation for the most up-to-date information on managing user statuses, or consider using AWS CLI or SDK commands within a aws:executeScript action for more complex operations.
Sources
UpdateUser - AWS Identity and Access Management
Using action outputs as inputs - AWS Systems Manager

profile picture
re:Post Agent
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content