使用 記錄 IAM Identity Center SCIM API 呼叫 AWS CloudTrail - AWS IAM Identity Center
CloudTrail 事件範例IAM Identity Center 中的常見 SCIM API 驗證錯誤

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 記錄 IAM Identity Center SCIM API 呼叫 AWS CloudTrail

IAM Identity Center SCIM 已與 整合 AWS CloudTrail,此服務可提供使用者、角色或 所採取動作的記錄 AWS 服務。CloudTrail 會將 SCIM 的 API 呼叫擷取為事件。使用 CloudTrail 所收集的資訊,您可以判斷所請求動作的相關資訊、動作的日期和時間、請求參數等。若要進一步了解 CloudTrail,請參閱 AWS CloudTrail 使用者指南

注意

當您建立帳戶 AWS 帳戶 時,您的 上會啟用 CloudTrail。但是,如果您的權杖是在 2024 年 9 月之前建立的,您可能需要輪換存取權杖來查看來自 SCIM 的事件。

如需詳細資訊,請參閱輪換存取字符

SCIM 支援將下列操作記錄為 CloudTrail 中的事件:

CloudTrail 事件範例

下列範例示範使用 IAM Identity Center 在 SCIM 操作期間產生的典型 CloudTrail 事件日誌。這些範例顯示成功操作和常見錯誤案例的事件結構和內容,協助您了解如何在疑難排解 SCIM 佈建問題時解譯 CloudTrail 日誌。

操作成功 CreateUser

此 CloudTrail 事件會顯示透過 SCIM API 成功執行CreateUser的操作。事件會同時擷取請求參數 (已遮罩敏感資訊) 和回應元素,包括新建立的使用者 ID。當身分提供者成功使用 SCIM 通訊協定將新使用者佈建至 IAM Identity Center 時,就會產生此類型的事件。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失敗PatchGroup的操作:缺少必要的路徑屬性

此 CloudTrail 事件會顯示失敗PatchGroup的操作,導致 ValidationException出現錯誤訊息 "Missing path in PATCH request"。發生錯誤是因為PATCH操作需要路徑屬性來指定要修改的群組屬性,但請求中缺少此屬性。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失敗CreateGroup的操作:群組名稱已存在

此 CloudTrail 事件會顯示失敗CreateGroup的操作,導致 ConflictException出現錯誤訊息 "Duplicate GroupDisplayName"。嘗試建立顯示名稱已存在於 IAM Identity Center 的群組時,會發生此錯誤。身分提供者必須使用唯一的群組名稱或更新現有的群組,而不是建立新的群組。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失敗PatchUser的操作:不支援多個電子郵件地址

此 CloudTrail 事件會顯示失敗PatchUser的操作,導致 ValidationException出現錯誤訊息 "List attribute emails exceeds allowed limit of 1"。嘗試將多個電子郵件地址指派給使用者時發生此錯誤,因為 IAM Identity Center 每個使用者僅支援一個電子郵件地址。身分提供者必須設定 SCIM 映射,才能為每個使用者傳送單一電子郵件地址。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

IAM Identity Center 中的常見 SCIM API 驗證錯誤

將 SCIM API 與 IAM Identity Center 搭配使用時,以下驗證錯誤訊息通常會出現在 CloudTrail 事件中。這些驗證錯誤通常發生在使用者和群組佈建操作期間。

如需解決這些錯誤並正確設定 SCIM 佈建的詳細指導,請參閱此AWS re:Post 文章

  • 清單屬性電子郵件超過允許的 1 限制

  • 列出允許的屬性地址限制為 1

  • 偵測到 1 個驗證錯誤:'*name.familyName*' 的值不符合限制:成員必須滿足規則表達式模式:【\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r 】+

  • 偵測到 2 個驗證錯誤:'name.familyName' 的值無法滿足限制條件:成員的長度必須大於或等於 1;'name.familyName' 的值無法滿足限制條件:成員必須滿足規則表達式模式:【\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r 】+

  • 偵測到 2 個驗證錯誤:'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' 的值無法滿足限制條件:成員的長度必須大於或等於 1;'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' 的值無法滿足限制條件:成員必須滿足規則表達式模式:【\\p{L}\\p{M}\\p{S}\\pN}\\p{P}\\t\\n\\r】+",

  • RequestBody 的 JSON 無效

  • 無效的篩選條件格式