By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SSM document error: Output Selector must be a valid JSONPath expression

0

Hi all

I created a Systems Manager document to delete an IAM user. I could see I'd need to remove the user from groups first so I ended up with the following document. It lists up the groups for the user first, then the next step uses the output as the input. But I encountered the following error:

Failure message
Step fails when it is validating and resolving the step inputs. Selector: Groups[].GroupName of the user defined outputs: GroupNames is invalid. Selector must be a valid JSONPath expression.. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

How should I specify the output selector?

schemaVersion: '0.3'
description: Delete an AWS IAM user using AutomationAssumeRole
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
  UserName:
    type: String
    description: User name to delete
  AutomationAssumeRole:
    type: String
    description: IAM Role ARN to assume
mainSteps:
  - name: GetUserGroups
    action: aws:executeAwsApi
    nextStep: RemoveUserFromGroups
    isEnd: false
    inputs:
      Service: iam
      Api: ListGroupsForUser
      UserName: '{{ UserName }}'
    outputs:
      - Name: GroupNames
        Selector: $.Groups[].GroupName
        Type: StringList
  - name: RemoveUserFromGroups
    action: aws:loop
    nextStep: DeleteUser
    isEnd: false
    inputs:
      Iterators: '{{ GetUserGroups.GroupNames }}'
      IteratorDataType: String
      Steps:
        - name: RemoveUserFromGroup
          action: aws:executeAwsApi
          isEnd: true
          inputs:
            Service: iam
            Api: RemoveUserFromGroup
            GroupName: '{{ RemoveUserFromGroups.CurrentIteratorValue }}'
            UserName: '{{ UserName }}'
  - name: DeleteUser
    action: aws:executeAwsApi
    isEnd: true
    inputs:
      Service: iam
      Api: DeleteUser
      UserName: '{{ UserName }}'
Topics
Management & Governance
Tags
AWS Systems Manager
Language
English
profile picture
Sonic
asked 18 days ago59 views
2 Answers
0

hi,

Great work! You're building an SSM automation to delete an IAM user from each group.

Basically, Need Lambda function to iterate the GroupNames.

For the output section where you're trying to extract all GroupName values from the Groups array, you need to invoke a Lambda function to iterate over all groups, because SSM doesn’t support wildcards like [] in JSONPath to extract multiple values directly.

https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-action-outputs-inputs.html

*[ outputs:

  - Name: GroupNames

    Selector: $.Groups[].GroupName   --------->  SSM is not supporting [ ], can't extract all GroupName field.

    Type: StringList

] *

so, we need Lambda Function to iterate the group names"->

[

def lambda_handler(event, context):

groups = event.get("Groups", [ ])

group_names = [group["GroupName"] for group in groups if "GroupName" in group]

return {

    "GroupNames": group_names

}

then in your SSM automation doc invoke Lambda and set the output:->

outputs:

  • Name: GroupNames

    Selector: $.Payload.GroupNames ----> [The Payload is a standard key in the response returned by Lambda.]

    Type: StringList

This way, you'll have the group names processed by the Lambda function, and you'll be able to correctly iterate through them in subsequent steps.

Best,

profile picture
Malini Agrawal
answered 18 days ago
-1

The error you're encountering is due to an incorrect syntax in the output selector for the GetUserGroups step. To resolve this issue, you need to modify the Selector in the outputs section of the GetUserGroups step.

Instead of:

Selector: $.Groups[].GroupName

You should use:

Selector: "Groups[*].GroupName"

This change will correctly select the GroupName from each Group in the response. The "[*]" syntax is used to iterate over all elements in the Groups array, and ".GroupName" selects the GroupName property from each group.

Also, make sure that the Type is set to StringList, as you have it in your current configuration.

Your corrected GetUserGroups step should look like this:

- name: GetUserGroups
  action: aws:executeAwsApi
  nextStep: RemoveUserFromGroups
  isEnd: false
  inputs:
    Service: iam
    Api: ListGroupsForUser
    UserName: '{{ UserName }}'
  outputs:
    - Name: GroupNames
      Selector: "Groups[*].GroupName"
      Type: StringList

This modification should resolve the "Output Selector must be a valid JSONPath expression" error you're encountering. The rest of your document structure looks correct for the task of deleting an IAM user after removing them from all groups.
Sources
Configuring inputs and outputs for your actions - AWS Systems Manager
AWS Service Catalog Service Actions - AWS Service Catalog

profile picture
re:Post Agent
answered 18 days ago
  • Sonic
    18 days ago

    Output selector Groups[].GroupName is invalid. Selector contains only the following JSONPath operations: [Dot-notated child (.), Deep-scan (..), Array index ([])] or filtering expressions using only ==, !=, <, >, <=, or >= operators. The following JSONPath operators: ',' ':' '', regular expressions, '&&' and '||' in filter expressions, and functions such as length() are currently not supported.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content