Hi,
Reproduced in 2 environments:
- ADConnector->AWS SSO
- MicrosoftAD->AWS SSO
Provisioning method is ADSync
Tested with latest versions of boto3 and AWS cli both.
When I call ListGroups / ListUsers and other API methods of IdentityStore, I'm facing different errors:
- When ListUsers / ListGroups without Filters - getting error from the server that I must add filters although this argument was deprecated:
self._client.list_users(IdentityStoreId=self._identity_store_id)
2023-01-29 15:36:20,909 urllib3.connectionpool [DEBUG] Resetting dropped connection: identitystore.us-east-1.amazonaws.com
2023-01-29 15:36:21,351 urllib3.connectionpool [DEBUG] https://identitystore.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 63
*** botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling
the ListUsers operation: Filter is required
You can see in the logs that a request has been made and it's not the SDK that blocks me from listing users without filters.
Second issue is when listing group memberships, getting UnknownOperationException - (the UserId is correct and works with DescribeUser API call).
This reproduces both in ListGroupMemberships and ListGroupMembershipsForMember:
self._client.list_group_memberships_for_member(IdentityStoreId=self._identity_store_id, MemberId={'UserId': 'REDACTED'})
2023-01-29 15:39:42,371 urllib3.connectionpool [DEBUG] https://identitystore.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 38
*** botocore.exceptions.ClientError: An error occurred (UnknownOperationException) when calling the ListGroupMembershipsForMember operation:
I have only read access to this AWS account.
Thanks.
I'm sorry but it's seems that you answered the question only to gain points here. The filters argument is no longer required. Also, I can guarantee that I have sufficient permissions as this issue does not reproduce on many other environments (some with Active Directory and some aren't) - with the same permissions (and DescribeUser/DescribeGroup working perfectly).