With S3 provisioning mode and a successfully deployed stack in single region/single account, with all initial setup CodePipelines successfully executed, I receive the following emailed error every time I add a user to AWS SSO. I get a similar error when adding a group. We are using Okta as External IdP with SCIM enabled. Can you tell what sort of issue this might be?
I have a good feeling that my links_data and permissions_data are valid, because when I uploaded my .ssofiles and .json to each respective folder in S3, pipelines ran without error. Then when I look in the AWS SSO console manually, the changes I expected (permission set creation, account/group/permission set assignment, etc.) all seemed to come through correctly.
I don't know why the solution needs to care about user add/delete at all, since none of my links_data refer to users. All of them only refer to .GROUP.ssofile, meaning that user CRUD should not affect anything in the SSO Extensions solution. I guess it still has to process the user add event to determine that, but then, the cause of the error is not apparent to me.
{
"Subject": "Error Processing group trigger based link provisioning operation",
"eventDetail": {
"Records": [
{
"EventSource": "aws:sns",
"EventVersion": "1.0",
"EventSubscriptionArn": "arn:aws:sns:us-east-1:(redacted-acctid):env-aws-sso-extensions-for-enterprise-ssoEventsProcessorStack-envssoGroupEventsNotificationTopicredacted-identifier:redacted-guid",
"Sns": {
"Type": "Notification",
"MessageId": "redacted-guid",
"TopicArn": "arn:aws:sns:us-east-1:(redacted-acctid):env-aws-sso-extensions-for-enterprise-ssoEventsProcessorStack-envssoGroupEventsNotificationTopicredacted-identifier",
"Subject": null,
"Message": "{\"version\":\"0\",\"id\":\"redacted-guid\",\"detail-type\":\"AWS API Call via CloudTrail\",\"source\":\"aws.sso-directory\",\"account\":\"(redacted-acctid)\",\"time\":\"2022-01-28T13:48:23Z\",\"region\":\"us-east-1\",\"resources\":[],\"detail\":{\"eventVersion\":\"1.08\",\"userIdentity\":{\"type\":\"Unknown\",\"accountId\":\"(redacted-acctid)\",\"accessKeyId\":\"redacted-guid\"},\"eventTime\":\"2022-01-28T13:48:23Z\",\"eventSource\":\"sso-directory.amazonaws.com\",\"eventName\":\"CreateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"redacted-ip\",\"userAgent\":\"python-requests/2.27.1\",\"errorCode\":\"InternalFailure\",\"errorMessage\":\"An unknown error occurred\",\"requestParameters\":{\"identityStoreId\":\"d-redacted-id-store-id\",\"displayName\":\"redacted-group-display-name\",\"groupAttributes\":{}},\"responseElements\":null,\"requestID\":\"redacted-guid\",\"eventID\":\"redacted-guid\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"managementEvent\":true,\"recipientAccountId\":\"(redacted-acctid)\",\"eventCategory\":\"Management\",\"tlsDetails\":{\"clientProvidedHostHeader\":\"up.sso.us-east-1.amazonaws.com\"}}}",
"Timestamp": "2022-01-28T13:48:44.916Z",
"SignatureVersion": "1",
"Signature": "redacted-b64-signature",
"SigningCertUrl": "redacted-SNS-url"
}
}
]
},
"errorDetails": {}
}