Permission sets failing to create with no SNS error about aws-iam-identity-center-extensions HOT 9 OPEN

Hi @allquixotic , ack on the issue. Let me try and reproduce the issue with the flow you described. That way, we will be able to understand where the missing/faulty logic is. I will either update you on my analysis of where the issue/might be (or) reach out to you for any questions on reproducing the bug in a few days.

With regards to the solution assuming it's cache is the source of truth, this is the current design of the solution. However, we're acutely aware of the pitfalls we would run into with this assumption (out of band changes being done directly on AWS SSO, privileged admin messing up the solution cache etc) , and had already started working on a long term fix for this.

We intend to release a "nightlyRun" feature with the solution , where the solution would run a discovery job on a nightly basis , determine if the state on AWS SSO (permission sets, account assignments) deviate from the solution cache, and based on the config option you choose , we either automatically remediate the deviation (using solution cache as source of truth) (or) send notifications on all the deviations for solution admins to manually remediate this as they see fit.

As you can see, for the "nightlyRun" feature we make the assumption that the solution cache is the state of truth and ensure that AWS SSO reflects this state of truth. In a way, this is our attempt to streamline access management in AWS SSO through the solution. Of course, we are providing all of this in a configurable way, so you could either choose not to have this "nightlyRun" feature at all / have it run in a "notification" mode only.

We were almost ready with this feature, but ran into some CDK specific compatibility issues and @vpegg is working on fixing these compatibility issues.

We would like to ask if the description of the "nightlyRun" feature above fits your requirements? If you have any feedback on how this could be improved/extended, please do let us know. We're more than happy to include any reasonable changes into the feature as we are still in development phase.

Thank you,
Leela

from aws-iam-identity-center-extensions.

The "nightlyRun" feature above may help, but it would be good to have three options for discrepancies, much like a Git merge conflict;

• Overwrite what's in AWS SSO with the SSO Extensions source of truth
• Overwrite what's in SSO Extensions with AWS SSO
• Let the administrator figure it out / manually merge

I hit an issue before where deleting permission sets from S3 had no effect in AWS SSO (after giving sufficient time for them to be deleted, and after making sure all the links data were purged first), so I'm not sure if this is related. For those permission sets, I had to delete them manually using the AWS management console.

From my understanding, I've done everything I possibly can to force the AWS SSO Extensions source of truth to be updated to realize that it needs to put this permission set into AWS SSO:

• I first cleared out all links data from S3 referencing this permset.
• I then deleted the permset itself from S3. (There's nothing to delete in AWS SSO because the permset does not exist.)
• I then bumped the version tag in the permission set JSON and re-uploaded it to S3. I hoped that changing an actual datum in the permset would make SSO Ex realize that the perm set doesn't exist, and that it needs to be created, but that didn't seem to work.

If this is not sufficient, can you provide a list of tasks that must be performed to get a permission set back into AWS SSO via SSO Ex if the permission set was manually deleted?

from aws-iam-identity-center-extensions.

Hi @allquixotic , for the current issue can you try this and update on what you are seeing please? To clarify, this is purely from a debug perspective and to help you with this specific permission set issue, and not intended to be the way you deal with orphaned permission sets in the long term.

Once you've deleted any links data, and the permission set file from S3, can you go to target account and region, and in dynamo , you will notice a table called env-permissionSetArn . I suspect you have an entry there for the problematic permission set with an arn value that is no longer valid. Can you delete this entry and the entry for the permission set from env-permissionSet table and re-try the flow for the permission set please?

from aws-iam-identity-center-extensions.

So oddly enough, there is no partition in the env-permissionSetArnTable for the permission set I'm looking for. It does exist in env-permissionSetTable!

from aws-iam-identity-center-extensions.

OK. I deleted the partition for the offending permission set from env-permissionSetTable, re-uploaded the file, and it imported.

Not only that, but the managed and inline policy specified in the JSON is correctly propagating to AWS SSO.

So the bug is when:

• It's not in env-permissionSetArnTable
• It is in env-permissionSetTable
• You ask SSO Ex to add the permission set by uploading it to S3

from aws-iam-identity-center-extensions.

To completely fix all my problems of the general form of "I upload a links_data or permission_sets file to S3, but nothing happens", I had to also clear out the env-provisionedLinksTable and then re-upload all my links_data.

I also wrote a script (in Python, so you can't reuse it for your implementation, sorry) that compares what's in SSO live; what's in S3; and what's in Dynamo -- and if a permission set exists in Dynamo and S3 but not in SSO live, I tell it to delete all records relevant to that permission set from Dynamo, then I re-upload the permission set to S3.

from aws-iam-identity-center-extensions.

Thank you for the update Sean. I will try and reproduce this and identify the root cause. You shouldn't need to do clean up's / write auxiliary scripts for this. This is really good debug info for us, so hopefully once the fix is in, you wouldn't run into this orphaned permission set issue.

from aws-iam-identity-center-extensions.

OK... if I completely clear out both links tables in Dynamo, clear out links_data in S3, then upload links_data in S3, SSO Ex creates the appropriate entries in the links tables in Dynamo, but it doesn't actually provision the permission set live. The permission set itself exists in both permission set tables, and the ARN in DynamoDB matches the ARN in live. Yet the permission set still says Not Provisioned.

In SQS, I have the env-linkManagerQueue.fifo and the env-linkManagerDLQ.fifo. The DLQ has 141 messages, 0 in flight. The queue has 1714 messages with 8 in flight.

When I did my links_data wipe, I didn't de-provision all the permission sets, so I will have a bunch of permission sets that are provisioned in SSO live, but don't show as provisioned in the Dynamo backend. Do you think this bug is happening because the code is trying again and again to provision links that are already provisioned, and not handling the new links that aren't provisioned?

Should I clear out both queues then try again?

from aws-iam-identity-center-extensions.

OK, I did as I said above -- cleared out both links tables entirely; and purged both the DLQ and the FIFO linkManagerQueue. I then deleted and re-uploaded all the links_data in S3.

I ended up with:

• Zero messages in the DLQ
• The number of messages in the linkManagerQueue are slowly going down, with 10 messages in flight at any given time

This looks much healthier. My big concern before was that the number of messages in both queues was remaining static over many minutes (I waited over 15 minutes to see if the number of messages would change; it didn't).

A few minutes later: Now I'm seeing a decent rate of reduction in the number of messages in the FIFO. About 10 per 30 seconds, give or take.

About an hour later: The DLQ has one item in it for some reason, but eventually the FIFO processed all the pending links messages, which resulted in all of the permission sets, except one, getting provisioned correctly. Not sure what happened with the one. I have a links_data linking it to a specific account and group that I verified exists.

So when encountering this issue with links data, sometimes it looks like the queue gets stuck and you have to purge the queue also.

from aws-iam-identity-center-extensions.