Existing linux users removed when syncing groups

[laroo]

I've setup keymaker on a AWS EC2 instance with official Ubuntu 14.04.5 LTS AMI and created a IAM group with AWS CLI:

$ aws iam create-group --path "/keymaker/" --group-name keymaker_sudo

When manually syncing the groups with keymaker sync_groups I noticed:

Removing user ubuntu from group sudo

Keymaker did add the IAM user to the sudo group but removed the main user ubuntu! Is it possible to keep existing linux users in the group and remove only IAM users that are not in the attached to the group?

For now i solved it by adding the user ubuntu to IAM (without any keys/rights/policies) and attached it to the group keymaker_sudo. This won't delete this user from the sudo group

[kislyuk]

Thanks for reporting. Yes, we need to add a check whenever removing users from groups that either the user or the group is under keymaker management (e.g. by checking that the user's PID is in the keymaker assignable range).

[kislyuk]

It turns out this was plainly a bug - I already had the check in place when adding users to groups, but not when removing. I will roll a release shortly.