oci-cli icon indicating copy to clipboard operation
oci-cli copied to clipboard

Published 20 hours ago verified publisher icon oracle

oci iam user update cannot set email that is previously empty

Open dch opened this issue 1 year ago • 1 comments

If a new user does not have an email already set at creation, it appears impossible to add one later.

  • check user properties
$ oci iam user get --user-id ocid1.user.oc1..aaaaaaaao.......{
  "data": {
    "capabilities": {
      "can-use-api-keys": true,
      "can-use-auth-tokens": true,
      "can-use-console-password": true,
      "can-use-customer-secret-keys": true,
      "can-use-db-credentials": true,
      "can-use-o-auth2-client-credentials": true,
      "can-use-smtp-credentials": true
    },
    "compartment-id": "ocid1.tenancy.oc1.....",
    "db-user-name": null,
    "defined-tags": {
      "Oracle-Tags": {
        "CreatedBy": "default/dch@...",
        "CreatedOn": "2024-04-30T10:10:17.233Z"
      }
    },
    "description": "doge",
    "email": null,   <--------------------- problem
    "email-verified": false,
    "external-identifier": "026c4b4fa9c44b53a757117bbd8a0997",
    "freeform-tags": {},
    "id": "ocid1.user.oc1...........",
    "identity-provider-id": null,
    "inactive-status": null,
    "is-mfa-activated": false,
    "last-successful-login-time": null,
    "lifecycle-state": "ACTIVE",
    "name": "dch...",
    "previous-successful-login-time": null,
    "time-created": "2024-04-30T10:10:17.299000+00:00"
  },
  "etag": "d8797afa54604bc290634901c309f108"
}
  • now try to set it
$ oci iam user update --force  --user-id ocid1.user.oc1..... --email dch@...

ServiceError:
{
    "client_version": "Oracle-PythonSDK/2.126.0, Oracle-PythonCLI/3.40.0",
    "code": "IdcsConversionError",
    "logging_tips": "Please run the OCI CLI command using --debug flag to find more debug information.",
    "message": "PATCH request failed{\"schemas\":[\"urn:ietf:params:scim:api:messages:2.0:Error\",\"urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error\"],\"detail\":\"The target path \\\"emails[type eq \\\"work\\\"]\\\" specified in the PATCH operation does not exist.\",\"status\":\"400\",\"urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error\":{\"messageId\":\"error.common.manager.targetAttrNotExists\"}}",
    "opc-request-id": "282B2FC6A86D49F081F50D98648C9FE9/EFACB4476350E30B36D49F7B368690A3/DCFB753987232C948894CC16FA042525",
    "operation_name": "update_user",
    "request_endpoint": "PUT https://identity.....oci.oraclecloud.com/20160918/users/ocid1.user.oc1.....",
    "status": 400,
    "target_service": "identity",
    "timestamp": "2024-04-30T11:06:15.883402+00:00",
    "troubleshooting_tips": "See [https://docs.oracle.com/iaas/Content/API/References/apierrors.htm] for more information about resolving this error. If you are unable to resolve this issue, run this CLI command with --debug option and contact Oracle support and provide them the full error message."
}

dch avatar Apr 30 '24 11:04 dch

one potential solution to this is to prevent the API from adding users without an email address. I have not found a way to activate a user without the email address, so if this is necessary, it should be made a mandatory.

dch avatar May 15 '24 10:05 dch