aws sso list-accounts --access-token "${access_token}" doesn't show accounts that are assigned via a Group

[evanstucker-hates-2fa]

Describe the bug

aws sso list-accounts --access-token "${access_token}" doesn't show accounts that are assigned via a Group. It only shows accounts that are assigned via a User. For example, if IAM Identity Center user "evans" is part of the "admins" group, and the "prod" AWS account has the "admins" group assigned to it with permission set "AdministratorAccess", this command won't show the "prod" account.

Expected Behavior

aws sso list-accounts --access-token "${access_token}" should show all accounts that the user is assigned to, whether the assignment is via User or Group.

Current Behavior

aws sso list-accounts --access-token "${access_token}" only shows accounts that have the User assigned to them. If you put the User in a Group, and then assign the Group to an account, that account won't show up in the output of this command.

Reproduction Steps

Add an IAM Identity Center User to a Group. Assign the Group to an AWS account with a permission set. Run aws sso list-accounts --access-token "${access_token}". Note that the AWS account that the user has access to via a group does not show up in the output.

Possible Solution

No response

Additional Information/Context

No response

CLI version used

aws-cli/2.17.19 Python/3.12.4 Linux/6.10.2-arch1-1 source/x86_64.arch

Environment details (OS name and version, etc.)

I use Arch BTW, hehe. aws-cli/2.17.19 Python/3.12.4 Linux/6.10.2-arch1-1 source/x86_64.arch

[tim-finnigan]

Thanks for reaching out. The CLI list-accounts command makes a call to the ListAccounts API. Therefore requests to change the API response would need to get rerouted to the service team.

But in this case I wonder if one of the identitystore commands would meet your use case: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/identitystore/index.html. There are several commands involving groups that may help with what you're trying to do. Can you confirm?

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[evanstucker-hates-2fa]

Under aws sso list-accounts help it says:

DESCRIPTION
       Lists all AWS accounts assigned to the user. These AWS accounts are as-
       signed  by  the administrator of the account. For more information, see
       Assign   User   Access   <https://docs.aws.amazon.com/singlesignon/lat-
       est/userguide/useraccess.html#assignusers>
        in the IAM Identity Center User Guide . This operation returns a pagi-
       nated response.

but this command doesn't list all AWS accounts assigned to a user. It fails to list accounts assigned to the user via the user's group. This is definitely a bug that still needs to be fixed...

I looked at the identitystore commands and none of them outputs accounts. I need a list of accounts that a user has access to...

Will you please re-open this issue?

[tim-finnigan]

Is the aws sso-admin list-account-assignments-for-principal command what you're looking for? https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sso-admin/list-account-assignments-for-principal.html

You can specify GROUP for --principal-type to get a list of the IAM Identity Center associated AWS accounts that the principal has access to.

[evanstucker-hates-2fa]

I don't think that one will work. It seems to need higher privileges to run, and I want regular users to be able to show the list of accounts that they have access to.

$ aws sso-admin list-account-assignments-for-principal --instance-arn arn:aws:sso:::instance/ssoins-REDACTED --principal-id dREDACTED --principal-type USER

An error occurred (AccessDeniedException) when calling the ListAccountAssignmentsForPrincipal operation: User: arn:aws:sts::REDACTED:assumed-role/AWSReservedSSO_AdministratorAccess_REDACTED/evans is not authorized to perform: sso:ListAccountAssignmentsForPrincipal on resource: arn:aws:sso:::instance/ssoins-REDACTED because no resource-based policy allows the sso:ListAccountAssignmentsForPrincipal action

[tim-finnigan]

Thanks for following up. We heard back from the Identity Center team regarding this issue, and they noted that currently Identity Center will cache group memberships for up to 1 hour, so adding users to a group will not immediately grant access to permission sets/applications, unless the user logs out/back in. The Identity Center team plans to remove this cache restriction in the future so that logging out/in again won't be necessary.

[evanstucker-hates-2fa]

Oh... hey... yeah, look at that. The test I created this morning is working now!

I'm closing this issue.

I'll make a note in my documentation to have people wait and/or re-authenticate to get group-based access to work correctly.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[Bernstern]

Thanks for following up. We heard back from the Identity Center team regarding this issue, and they noted that currently Identity Center will cache group memberships for up to 1 hour, so adding users to a group will not immediately grant access to permission sets/applications, unless the user logs out/back in. The Identity Center team plans to remove this cache restriction in the future so that logging out/in again won't be necessary.

Hi @tim-finnigan, I am in the process of setting up a temporary access system managed through group membership in our IDP and are starting to see this behavior, I wanted to see if there were any updates w.r.t. this caching / new workarounds