Search code examples
amazon-web-servicesaws-cli

Change username for user on AWS IAM Identity Center (AWS SSO)

I'm trying to rename the username of an existing user in the AWS IAM Identity Center (formally AWS Single Sign-On). I know it's not possible to change the usernames in the AWS Console as the field is not editable but the documentation suggests it's possible using the CLI (or API). I've tried the following via the CLI without much success:

 aws identitystore update-user --cli-input-json file://input.json

input.json

{
  "IdentityStoreId": [id],
  "UserId": [uid],
  "Operations": [
    {
      "AttributePath": "UserName",
      "AttributeValue": "new-username"
    }
  ]
}

The following error message is returned:

An error occurred (ValidationException) when calling the UpdateUser operation: Updates for AttributePath: UserName is not supported

I've described the existing user using:

aws identitystore describe-user --identity-store-id [id] --user-id [uid]

And this is returned:

{
    "UserName": "existing-username",
    "UserId": [uid],
    ...
}

As far as I can see, the attribute path is correct so I'm unsure why this doesn't work. I could not find any information about this being unsupported.

Solution

  • After some trial an error I've managed to find a solution, the documentation is quite poor.

    The following request was successful, the attribute name needed to be userName in camel-case to work.

    input.json

    {
  "IdentityStoreId": [id],
  "UserId": [uid],
  "Operations": [
    {
      "AttributePath": "userName",
      "AttributeValue": "new-username"
    }
  ]
}

    As mentioned in the question, describe-user returns the attribute as UserName:

    {
    "UserName": "existing-username",
    "UserId": [uid],
    ...
}

    In the AWS console, the attribute is Username:

    AWS Console

    In the API documentation (https://docs.aws.amazon.com/singlesignon/latest/IdentityStoreAPIReference/API_User.html), the attribute is UserName:

    API Documentation