0

I try to create a user in AWS Identity Center using create-user (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/identitystore/create-user.html).

aws identitystore create-user \
    --identity-store-id ${IDENTITY_STORE_INSTANCE_ID} \
    --user-name ${USERNAME} \
    --name '{ "FamilyName": "'${LAST_NAME}'", "GivenName": "'${FIRST_NAME}'" }' \
    --display-name "${DISPLAY_NAME}" \
    --emails '[{ "Value": "'${EMAIL}'", "Primary": true }]'

The user is successfully created but somehow the password part is missing, i.e. I can't set an option how to create the password. Also no invitation email is send to the user.

So I looked at the process in the portal by checking the API calls and there are two attributes I can't find anywhere in CLI or the API (https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_CreateUser.html) reference -> Active and probably more important PasswordMode:

{
    "IdentityStoreId": "xxx",
    "UserName": "xxx",
    "UserAttributes": {
        "emails": {
            "ComplexListValue": [
                {
                    "value": {
                        "StringValue": "xxx@xxx.de"
                    },
                    "type": {
                        "StringValue": "work"
                    },
                    "primary": {
                        "BooleanValue": true
                    }
                }
            ]
        },
        "name": {
            "ComplexValue": {
                "givenName": {
                    "StringValue": "xxx"
                },
                "familyName": {
                    "StringValue": "xxx"
                }
            }
        },
        "displayName": {
            "StringValue": "xxx"
        }
    },
    "Active": true,
    "PasswordMode": "EMAIL"
}

How can I create then a user including password and invitation using AWS CLI v2?

quervernetzt
  • 10,311
  • 6
  • 32
  • 51
  • You cannot create passwords for new users you can only change that using CLI and AWS IdentityStore – Piyush Patil Aug 23 '23 at 19:06
  • @PiyushPatil Thanks for your response. So how can I then create a new user with invitation to the user (where the user can then set their password) programmatically? Obviously it works via the portal ("Send an email to this user with password setup instructions.") where they also interact with the API and there are the two attributes and an invitation email is send. – quervernetzt Aug 23 '23 at 19:09
  • 1
    I think the Console operation is an undocumented API. If you look in CloudTrail, you'll see an event `UpdatePassword` for service `sso-directory.amazonaws.com`, with request parameters `userId` and `passwordMode`. Googling for combinations of these items doesn't turn up anything for me. The Directory Service API has [ResetUserPassword](https://docs.aws.amazon.com/directoryservice/latest/devguide/API_ResetUserPassword.html), but that's definitely not what's being called here. – kdgregory Aug 23 '23 at 21:36
  • 1
    My guess is that they assume most "production" organizations will either use an existing Microsoft Active Directory service, or some third-party identity provider, and both of these options have their own way to trigger password resets. But only a member of the AWS SSO or SimpleAD team could answer that for sure. – kdgregory Aug 23 '23 at 21:38
  • 1
    As an additional data point, the document [IAM Identity Center information in CloudTrail](https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html) has the `UpdatePassword` operation listed as a valid CloudTrail event, but does not show a corresponding public API operation. – kdgregory Aug 23 '23 at 21:41

0 Answers0