使用 Amazon CloudTrail记录 IAM Identity Center SCIM API 调用 - Amazon IAM Identity Center
示例 CloudTrail 事件IAM 身份中心中常见的 SCIM API 验证错误
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Amazon CloudTrail记录 IAM Identity Center SCIM API 调用

IAM Identity Center SCIM 与 Amazon CloudTrail一项服务集成,该服务提供用户、角色或角色所采取的操作的 Amazon Web Services 服务记录。 CloudTrail 将 SCIM 的 API 调用捕获为事件。使用收集的信息 CloudTrail,您可以确定有关所请求操作的信息、操作的日期和时间、请求参数等。要了解更多信息 CloudTrail,请参阅《Amazon CloudTrail 用户指南》

注意

CloudTrail 在您创建账户 Amazon Web Services 账户 时已在您的账户上启用。但是,如果您的令牌是在 2024 年 9 月之前创建的,则可能需要轮换访问令牌才能查看 SCIM 中的事件。

有关更多信息,请参阅 轮换访问令牌

SCIM 支持将以下操作记录为事件: CloudTrail

示例 CloudTrail 事件

以下示例演示了使用 IAM Identity Center 进行 SCIM 操作期间生成的典型 CloudTrail 事件日志。这些示例显示了成功操作和常见错误场景的事件的结构和内容,可帮助您了解在排除 SCIM 配置问题时如何解释 CloudTrail 日志。

成功CreateUser操作

此 CloudTrail 事件显示通过 SCIM API 成功执行的CreateUser操作。该事件会捕获请求参数(屏蔽敏感信息)和响应元素,包括新创建的用户的 ID。当身份提供商使用 SCIM 协议成功将新用户配置到 IAM Identity Center 时,就会生成此类事件。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

PatchGroup操作失败:缺少必需的路径属性

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchGroup操作"Missing path in PATCH request"。之所以出现错误,是因为该PATCH操作需要路径属性来指定要修改的组属性,但是请求中缺少此属性。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

CreateGroup操作失败:组名已存在

此 CloudTrail 事件显示了导致错误消息ConflictException的失败CreateGroup操作"Duplicate GroupDisplayName"。尝试使用已存在于 IAM Identity Center 中的显示名称创建群组时会发生此错误。身份提供者必须使用唯一的群组名称或更新现有群组,而不是创建新群组。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

PatchUser操作失败:不支持多个电子邮件地址

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchUser操作"List attribute emails exceeds allowed limit of 1"。尝试为用户分配多个电子邮件地址时会发生此错误,因为 IAM Identity Center 仅支持每个用户一个电子邮件地址。身份提供商必须将 SCIM 映射配置为仅为每个用户发送一个电子邮件地址。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

IAM 身份中心中常见的 SCIM API 验证错误

在 IAM 身份中心中使用 SCIM API 时,通常会在 CloudTrail 事件中出现以下验证错误消息。这些验证错误通常发生在用户和组置备操作期间。

有关解决这些错误和正确配置 SCIM 配置的详细指南,请参阅本Amazon Web Services re:Post 文

  • List attribute email exceeds allowed limit of 1

  • List attribute addresses allowed limit of 1

  • 1 validation errors detected: Value at '*name.familyName*' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+",

  • 来自的 JSON RequestBody

  • Invalid Filter format