Error when attempting to delete Identity Store group
jferris opened this issue · comments
Joe Ferris commented
I'm running the Lambda from the Serverless Application Repository. It attempts to delete one of the groups but fails with this message:
Notifying Lambda and mark this execution as Failure: AccessDeniedException: User: arn:aws:sts::X:assumed-role/serverlessrepo-X-ssosyn-SSOSyncFunctionRole-X/serverlessrepo-X-ssosync-go-SSOSyncFunction-X is not authorized to perform: identitystore:DeleteGroup on resource: arn:aws:identitystore::X:identitystore/d-X because no identity-based policy allows the identitystore:DeleteGroup action
I checked in IAM and confirmed that the policy does not include this action. It doesn't look like it's included in the template. I believe the DeleteGroup
action needs to be added to the template and this issue would be resolved.
To Reproduce
Steps to reproduce the behavior:
- Set up a new organization using AWS Control Tower.
- Deploy the SSO sync Lambda.
- SSO sync will attempt to delete a pre-existing group.
Expected behavior
The group is successfully deleted.