-
Notifications
You must be signed in to change notification settings - Fork 184
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssosync deletes Control Tower groups #88
Comments
So lets work through the two points: It may be possible to add one of the following feature: The second point: However, there are some challenges with SCIM not least of which is inconsistencies in implementation that means that interoperability is not assured. Both Google and AWS a members of the working seeking to improve this (apologies I don't have the details to hand). |
@ChrisPates I appreciate the reply. I don't understand what you're trying to convey above. Let's start with this: Do you agree that there is no circumstance in which ssosync should delete AWS Control Tower groups? If yes, then it should be straightforward to implement an ignore list as you propose, and that it includes the above list at least by default. (In fact, I've done this in a private branch, but my Go is poor.) |
Is anyone reviewing the above PR? |
We will be but current activity is:
Once these are out of the way we can hopefully get on top of the PR queue. |
This items has been merged into a more complete feature request Configurable handling of 'manually created' Users/Groups in IAM Identity Center #179, please review and provide feedback on that item. |
Describe the bug
A recent run of ssosync deleted a bunch of Control Tower accounts. I don't know why this didn't happen in prior runs. (Perhaps they were added in a recent Control Tower release?)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
While I'm aware that ssosync will delete groups that don't exist in Google, ssosync should never delete groups or accounts that are created by Control Tower (or otherwise part of AWS administration). I have filed this as a bug because, in my opinion, this is a serious deviation from expectations.
Additional context
The current experience for using Google as an identity provider for AWS is pretty poor. This command line tool should not be needed at all. I expect more from AWS, and I think it is in AWS's best interests to provide production-grade SSO integration with Google.
The text was updated successfully, but these errors were encountered: