使用 Amazon CloudTrail记录 IAM Identity Center SCIM API 调用 - Amazon IAM Identity Center
示例 CloudTrail 事件IAM Identity Center 中常见的 SCIM API 验证错误
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 Amazon CloudTrail记录 IAM Identity Center SCIM API 调用

IAM Identity Center SCIM 与 Amazon CloudTrail一项服务集成,该服务提供用户、角色或角色所采取的操作的 Amazon Web Services 服务记录。 CloudTrail 将 SCIM 的 API 调用捕获为事件。使用收集的信息 CloudTrail,您可以确定有关所请求操作的信息、操作的日期和时间、请求参数等。要了解更多信息 CloudTrail,请参阅《Amazon CloudTrail 用户指南》

注意

CloudTrail 在您创建账户 Amazon Web Services 账户 时已在您的账户上启用。但是,如果您的访问令牌是在 2024 年 9 月之前创建的,则可能需要轮换访问令牌才能看到来自 SCIM 的事件。

有关更多信息,请参阅 轮换访问令牌

SCIM 支持将以下操作记录为事件: CloudTrail

示例 CloudTrail 事件

以下示例演示了在使用 IAM 身份中心进行 SCIM 操作期间生成的典型 CloudTrail 事件日志。这些示例显示了成功操作和常见错误场景的事件的结构和内容,可帮助您了解在排除 SCIM 配置问题时如何解释 CloudTrail 日志。

成功的 CreateUser 操作

此 CloudTrail 事件显示通过 SCIM API 成功执行的CreateUser操作。该事件捕获了请求参数(敏感信息已脱敏)和响应元素,包括新创建用户的 ID。此类事件在身份提供者通过 SCIM 协议成功向 IAM Identity Center 配置新用户时生成。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "WebIdentityUser",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "schemas" : [
        "urn:ietf:params:scim:schemas:core:2.0:User"
      ],
      "name": {
        "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
        "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
      },
      "active": true,
      "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": {
    "meta" : {
      "created" : "Oct 10, 2024, 1:23:45 PM",
      "lastModified" : "Oct 10, 2024, 1:23:45 PM",
      "resourceType" : "User"
    },
    "displayName" : "HIDDEN_DUE_TO_SECURITY_REASONS",
    "schemas" : [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "name": {
      "familyName": "HIDDEN_DUE_TO_SECURITY_REASONS",
      "givenName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "active": true,  
    "id" : "c4488478-a0e1-700e-3d75-96c6bb641596",
    "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"
  },
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 PatchGroup 操作:缺少必需的路径属性

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchGroup操作"Missing path in PATCH request"。发生此错误是因为 PATCH 操作需要一个路径属性来指定要修改哪个组属性,但该属性在请求中缺失。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "Missing path in PATCH request",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REMOVE",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 CreateGroup 操作:组名已存在

此 CloudTrail 事件显示了导致错误消息ConflictException的失败CreateGroup操作"Duplicate GroupDisplayName"。当尝试创建显示名在 IAM Identity Center 中已存在的组时,会发生此错误。身份提供者必须使用唯一的组名,或者更新现有组而不是创建新组。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "CreateGroup",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ConflictException",
  "errorMessage": "Duplicate GroupDisplayName",
  "requestParameters": {
    "httpBody": {
      "displayName": "HIDDEN_DUE_TO_SECURITY_REASONS"
    },
    "tenantId": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

失败的 PatchUser 操作:不支持多个电子邮件地址

此 CloudTrail 事件显示了导致错误消息ValidationException的失败PatchUser操作"List attribute emails exceeds allowed limit of 1"。当尝试为用户分配多个电子邮件地址时会发生此错误,因为 IAM Identity Center 每个用户仅支持一个电子邮件地址。身份提供者必须配置 SCIM 映射,以便为每个用户仅发送一个电子邮件地址。

{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "Unknown",
    "accountId": "123456789012",
    "accessKeyId": "xxxx"
  },
  "eventTime": "xxxx",
  "eventSource": "identitystore-scim.amazonaws.com",
  "eventName": "PatchUser",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "userAgent": "Go-http-client/2.0",
  "errorCode": "ValidationException",
  "errorMessage": "List attribute emails exceeds allowed limit of 1",
  "requestParameters": {
    "httpBody": {
      "operations": [
        {
          "op": "REPLACE",
          "path": "emails",
          "value": "HIDDEN_DUE_TO_SECURITY_REASONS"
        }
      ],
      "schemas": [
        "HIDDEN_DUE_TO_SECURITY_REASONS"
      ]
    },
    "tenantId": "xxxx",
    "id": "xxxx"
  },
  "responseElements": null,
  "requestID": "xxxx",
  "eventID": "xxxx",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management",
  "tlsDetails": {
    "clientProvidedHostHeader": "scim.us-east-1.amazonaws.com"
  }
}

IAM Identity Center 中常见的 SCIM API 验证错误

在 IAM Identity Center 中使用 SCIM API 时,通常会在 CloudTrail 事件中出现以下验证错误消息。这些验证错误通常发生在用户和组配置操作期间。

有关解决这些错误和正确配置 SCIM 配置的详细指南,请参阅此 Amazon Web Services re:Post 文章

  • List attribute email exceeds allowed limit of 1

  • List attribute addresses allowed limit of 1

  • 1 validation errors detected: Value at '*name.familyName*' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'name.familyName' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'name.familyName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+

  • 2 validation errors detected: Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must have length greater than or equal to 1; Value at 'urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.manager.value' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\t\\n\\r ]+",

  • 来自的 JSON RequestBody

  • Invalid Filter format