使用 AWS CloudTrail记录 IAM Identity Center SCIM API 调用 - AWS IAM Identity Center
示例 CloudTrail 事件IAM Identity Center 中常见的 SCIM API 验证错误

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 AWS CloudTrail记录 IAM Identity Center SCIM API 调用

IAM Identity Center SCIM 与 AWS CloudTrail一项服务集成,该服务提供用户、角色或角色所采取的操作的 AWS 服务记录。 CloudTrail 将 SCIM 的 API 调用捕获为事件。使用收集的信息 CloudTrail,您可以确定有关所请求操作的信息、操作的日期和时间、请求参数等。要了解更多信息 CloudTrail,请参阅AWS CloudTrail 用户指南

注意

CloudTrail 在您创建账户 AWS 账户 时已在您的账户上启用。但是,如果您的访问令牌是在 2024 年 9 月之前创建的,则可能需要轮换访问令牌才能看到来自 SCIM 的事件。

有关更多信息,请参阅 轮换访问令牌

SCIM 支持将以下操作记录为事件: CloudTrail

示例 CloudTrail 事件

以下示例演示了使用 IAM Identity Center 进行 SCIM 操作期间生成的典型 CloudTrail 事件日志。这些示例显示了成功操作和常见错误场景的事件的结构和内容,可帮助您了解在排除 SCIM 配置问题时如何解释 CloudTrail 日志。

成功的 CreateUser 操作

此 CloudTrail 事件显示通过 SCIM API 成功执行的CreateUser操作。该事件捕获了请求参数(敏感信息已脱敏)和响应元素,包括新创建用户的 ID。此类事件在身份提供者通过 SCIM 协议成功向 IAM Identity Center 配置新用户时生成。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 PatchGroup 操作:缺少必需的路径属性

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchGroup操作"Missing path in PATCH request"。发生此错误是因为 PATCH 操作需要一个路径属性来指定要修改哪个组属性,但该属性在请求中缺失。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 CreateGroup 操作:组名已存在

此 CloudTrail 事件显示了导致错误消息ConflictException的失败CreateGroup操作"Duplicate GroupDisplayName"。当尝试创建显示名在 IAM Identity Center 中已存在的组时,会发生此错误。身份提供者必须使用唯一的组名,或者更新现有组而不是创建新组。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 PatchUser 操作:不支持多个电子邮件地址

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchUser操作"List attribute emails exceeds allowed limit of 1"。当尝试为用户分配多个电子邮件地址时会发生此错误,因为 IAM Identity Center 每个用户仅支持一个电子邮件地址。身份提供者必须配置 SCIM 映射,以便为每个用户仅发送一个电子邮件地址。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

IAM Identity Center 中常见的 SCIM API 验证错误

在 IAM Identity Center 中使用 SCIM API 时,通常会在 CloudTrail 事件中出现以下验证错误消息。这些验证错误通常发生在用户和组配置操作期间。

有关解决这些错误和正确配置 SCIM 配置的详细指南,请参阅此 AWS re:Post 文章

  • List attribute email exceeds allowed limit of 1

  • List attribute addresses allowed limit of 1

  • 1 validation errors detected: Value at '*name.familyName*' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+",

  • 来自的 JSON RequestBody

  • Invalid Filter format