By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Identitystore ListUsers and ListGroups API results in UnknownOperationException

0

Hi,

Reproduced in 2 environments:

  1. ADConnector->AWS SSO
  2. MicrosoftAD->AWS SSO

Provisioning method is ADSync

Tested with latest versions of boto3 and AWS cli both.

When I call ListGroups / ListUsers and other API methods of IdentityStore, I'm facing different errors:

  1. When ListUsers / ListGroups without Filters - getting error from the server that I must add filters although this argument was deprecated:

self._client.list_users(IdentityStoreId=self._identity_store_id)

2023-01-29 15:36:20,909 urllib3.connectionpool [DEBUG] Resetting dropped connection: identitystore.us-east-1.amazonaws.com

2023-01-29 15:36:21,351 urllib3.connectionpool [DEBUG] https://identitystore.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 63

*** botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the ListUsers operation: Filter is required

You can see in the logs that a request has been made and it's not the SDK that blocks me from listing users without filters.

Second issue is when listing group memberships, getting UnknownOperationException - (the UserId is correct and works with DescribeUser API call). This reproduces both in ListGroupMemberships and ListGroupMembershipsForMember: self._client.list_group_memberships_for_member(IdentityStoreId=self._identity_store_id, MemberId={'UserId': 'REDACTED'})

2023-01-29 15:39:42,371 urllib3.connectionpool [DEBUG] https://identitystore.us-east-1.amazonaws.com:443 "POST / HTTP/1.1" 400 38

*** botocore.exceptions.ClientError: An error occurred (UnknownOperationException) when calling the ListGroupMembershipsForMember operation:

I have only read access to this AWS account. Thanks.

Topics
Security, Identity, & Compliance
Tags
Security, Identity, & ComplianceAWS Directory ServiceAWS IAM Identity Center
Language
English
ohad
asked a year ago672 views
1 Answer
0

It seems that the issue with the ListUsers and ListGroups methods is that they require filters, which are now mandatory, and the deprecated argument has been removed.

As for the ListGroupMemberships and ListGroupMembershipsForMember methods, the error seems to be related to an "UnknownOperationException".

Additionally, it is possible that these issues are related to permissions, and it may be necessary to check the IAM roles and policies attached to the AWS account being used.

profile picture
Divyam Chauhan
answered a year ago
  • ohad
    a year ago

    I'm sorry but it's seems that you answered the question only to gain points here. The filters argument is no longer required. Also, I can guarantee that I have sufficient permissions as this issue does not reproduce on many other environments (some with Active Directory and some aren't) - with the same permissions (and DescribeUser/DescribeGroup working perfectly).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content