Comments (7)
Hi @snavarro-factorial could you validate your Google Service Account
created?, because looks like the Google email account
associated with the Google Service Account
doesn't have sufficient access.
that is why you are receiving ... error code: 401 Unauthorized ...
as a part of your error message.
Please confirm that to close this issue
from idp-scim-sync.
That was my first option, but I've checked and:
- I tested both with my email (superuser) and the Google Workspace owner email (and with owner permissions on the Google Service Account).
- I tried removing Domain-Wide Delegation, the error changes into this:
Error: cannot sync groups and their members: error getting groups from the identity provider: idp: error listing groups: Get "https://admin.googleapis.com/admin/directory/v1/groups?alt=json&customer=my_customer&fields=groups%28id%2Cname%2Cemail%2Cetag%29&prettyPrint=false&query=name%3DSysAdmin": oauth2: cannot fetch token: 401 Unauthorized
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
- As soon as I create the Domain-Wide Delegation again, I get the same 401 error.
My roles in Google Workspace are:
- Super Admin
- Groups Admin
- User Management Admin
- Help Desk Admin
- Services Admin
- Groups Reader
- Groups Editor
All without any restricted condition, so I suppose the problem is not with the Google Workspace account, but with the Google Service Account?
I did the steps that were needed for the previous (abandoned) project --> https://github.com/awslabs/ssosync#google
Just in case that helps somehow :/
Thanks a lot!
from idp-scim-sync.
hi @snavarro-factorial , thank you for the details in your issue.
Important things here, the problem is with the Google Workspace Service Account
, if you see that last part of your error message
...oauth2: cannot fetch token: 401 Unauthorized ...
I would like to help you because looks like issue #49 are the same problem, which is the configuration of credentials
for Google Workspace
.
To help both of you, could you try the following?
Instead of using idpscim let's try with idpscimcli and let me know your output whithout sensible data
idpscimcli --help
This is a Command-Line Interfaced (CLI) to help you validate and check your source and target Single Sing-On endpoints.
Check your AWS Single Sign-On (SSO) / Google Workspace Groups users and groups and validate your filters over Google Workspace users and groups.
Usage:
idpscimcli [command]
Available Commands:
aws AWS SSO SCIM commands
completion Generate the autocompletion script for the specified shell
gws Google Workspace commands
help Help about any command
Flags:
-c, --config-file string configuration file (default ".idpscim.yaml")
-d, --debug enable log debug level
-h, --help help for idpscimcli
-f, --log-format string set the log format (default "text")
-l, --log-level string set the log level (default "info")
--output-format string output format (json|yaml) (default "json")
--timeout duration requests timeout (default 10s)
-v, --version version for idpscimcli
Use "idpscimcli [command] --help" for more information about a command.
Get Google Workspace-> users list
idpscimcli gws users list \
--gws-service-account-file <location of your google workspace service account json file> \
--gws-user-email <the google workspace email associate the to service account>
Get Google Workspace-> groups list
idpscimcli gws users list \
--gws-service-account-file <location of your google workspace service account json file> \
--gws-user-email <the google workspace email associate the to service account>
In both option you also can use filters:
...
--gws-users-filter 'email:ch*'
...
# https://developers.google.com/admin-sdk/directory/v1/guides/search-users
or
...
--gws-groups-filter
...
# https://developers.google.com/admin-sdk/directory/v1/guides/search-groups
Also, validate you are following this instruction to create your Service Account
authorizing Directory API
action ``
Using OAuth 2.0 for Server to Server Applications
The permission needs by Service Account
are:
- https://www.googleapis.com/auth/admin.directory.group.readonly
- https://www.googleapis.com/auth/admin.directory.group.member.readonly
- https://www.googleapis.com/auth/admin.directory.user.readonly
from idp-scim-sync.
Hi @snavarro-factorial see the latest comments on issue #49, for sure this is the error that is affecting you too.
from idp-scim-sync.
this is a duplicate issue of #49
from idp-scim-sync.
Thanks for the help! I'll reply on this issue since the other is closed.
(Delegation permissions are set up as you said, everything correct from that side)
I cloned the repo with all of the changes and compile it to test with lastest code, just in case, and this was the result:
$ ./idpscimcli gws groups list \
--gws-service-account-file credentials.json \
--gws-user-email [email protected] \
--gws-groups-filter 'name=SysAdmin'
INFO[0000] 1 groups found
INFO[0000] [
{
"email": "[email protected]",
"etag": "xxxxxxxx",
"id": "xxxxxxxxxxx",
"name": "SysAdmin"
}
]
That actually works, and if I remove the filter, it actually shows all groups. gws users list
does also work, so from that side everything is correct!
But when I try the sync command, it fails:
INFO[0000] starting sync groups codeVersion=main
INFO[0000] getting Identity Provider data group_filter="[name=SysAdmin]"
INFO[0002] getting state data
WARN[0002] no state file found in the state repository, creating this
WARN[0002] syncing from scim service, first time syncing
WARN[0002] reconciling the SCIM data with the Identity Provider data
INFO[0002] getting SCIM Groups
WARN[0003] aws checkHTTPResponse: body: status="401 Unauthorized" statusCode=401
Error: cannot sync groups and their members: error doing the first sync: error getting groups from the SCIM service: scim: error listing groups: statusCode: 401, errCode: 401 Unauthorized, errMsg:
I also tried to do what you said on this comment:
#49 (comment)
But:
INFO[0000] starting sync groups codeVersion=main
INFO[0000] getting Identity Provider data group_filter="[name=SysAdmin]"
WARN[0001] google: not including [email protected] to group xxxxxxxxx members due to incorrect status (not ACTIVE)
WARN[0001] google: not including [email protected] to group xxxxxxxxx members due to incorrect status (not ACTIVE)
WARN[0001] google: not including [email protected] to group xxxxxxxxx members due to incorrect status (not ACTIVE)
WARN[0001] google: not including [email protected] to group xxxxxxxxx members due to incorrect status (not ACTIVE)
WARN[0001] google: not including [email protected] to group xxxxxxxxx members due to incorrect status (not ACTIVE)
WARN[0001] there are no users in the identity provider
INFO[0001] getting state data
WARN[0001] no state file found in the state repository, creating this
WARN[0001] syncing from scim service, first time syncing
WARN[0001] reconciling the SCIM data with the Identity Provider data
INFO[0001] getting SCIM Groups
WARN[0001] aws checkHTTPResponse: body: status="401 Unauthorized" statusCode=401
Error: cannot sync groups and their members: error doing the first sync: error getting groups from the SCIM service: scim: error listing groups: statusCode: 401, errCode: 401 Unauthorized, errMsg:
The emails I ofuscated are all the members from that group, and after errMsg:
I just get the help message. Also between incorrect status
and (not ACTIVE)
goes the actual status, like SUSPENDED
as far I could've seen, but in this case is empty.
I tried both syncs with this filter --gws-groups-filter 'name=SysAdmin'
.
If I try the master branch without changes and without filters, I get a lot of warnings like these (I suppose they're okay):
WARN[0013] google: not including [email protected] to group xxxxx members due to incorrect status (not ACTIVE)
WARN[0013] skipping member because is a group, but group members will be included [email protected] id=xxxx
WARN[0013] google: not including [email protected] to group xxxxx members due to incorrect status SUSPENDED (not ACTIVE)
The ones that shows the SUSPENDED are actually from the company, and those who don't get any status, are external users (as opposite from previous log where I was using the filter and no status appeared; those emails were actuall from the company).
And after a long wait, I get this again:
INFO[0597] getting state data
WARN[0597] no state file found in the state repository, creating this
WARN[0597] syncing from scim service, first time syncing
WARN[0597] reconciling the SCIM data with the Identity Provider data
INFO[0597] getting SCIM Groups
INFO[0597] [DEBUG] GET https://scim.eu-central-1.amazonaws.com/xxxxxxxx/scim/v2/Groups
WARN[0597] aws checkHTTPResponse: body: status="401 Unauthorized" statusCode=401
Error: cannot sync groups and their members: error doing the first sync: error getting groups from the SCIM service: scim: error listing groups: statusCode: 401, errCode: 401 Unauthorized, errMsg:
I don't know what else could be happening :/
Thanks a lot!
from idp-scim-sync.
Oooooh... facepalm
I've been putting the credentials.json info into the service account access key parameter for a week -.-'
Now it works... Sorry a lot.
from idp-scim-sync.
Related Issues (20)
- que: Deploy lambda using an existing bucket HOT 1
- bug: User Deletion Error HOT 1
- que: Issue in the ListUsers and ListGroups callback functions ? HOT 3
- feat: using workload identity federation HOT 1
- feat: Update Lambda runtime HOT 5
- how to sync another attribute from GG Workspace to AWS SSO HOT 3
- que: Providing multiple values to the GWSGroupsFilter in CloudFormation template HOT 2
- que: How to use Workload Identity Federation when installing idp-scim-sync from SAR
- que: 404 Domain not found HOT 2
- que: Environment variable format for IDPSCIM_GWS_GROUPS_FILTER HOT 3
- que: Hey, I want to ask what is "tenant_id"? As same as aws account id? Thank you! HOT 2
- feat: Option to never delete group (upsert only) HOT 15
- bug: 400 error when list groups members HOT 13
- bug: users are not updated when you have more than 50 users HOT 1
- feat: run getSecrets not only as lambda HOT 1
- que: Implementing the new indentitystore APIs? HOT 3
- bug: Cannot sync groups and their members HOT 4
- only 200 of 263 google group members are loaded HOT 5
- Getting "error decoding response body: EOF" error when log-level=trace
- bug: Request is unparsable, syntactically incorrect, or violates schema HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from idp-scim-sync.