GAM
GAM copied to clipboard
GAM-team
Exception printing custom schemas if multivalue type is not set
- I have upgraded to the latest GAM release from https://github.com/GAM-team/GAM/releases and I still have this issue.
- I am typing the command as described in the GAM Wiki at https://github.com/jay0lee/gam/wiki
Full steps to reproduce the issue:
- Create a user
some.userwith a custom schema (and somehow not settype: work?) - Run
gam info user some.user
Expected outcome (what are you trying to do?):
Get user info with custom schema
Actual outcome (what errors or bad behavior do you see instead?):
gam info user some.user
User: [email protected]
First Name: Some
Last Name: User
...
Custom Schemas:
Schema: AutoProvSFAttribs
SFEntitlements:
type: work
value: 00e2o000001d99U
Schema: AWS_SAML
role:
Traceback (most recent call last):
File "gam/__main__.py", line 49, in <module>
File "gam/__main__.py", line 44, in main
File "gam/__init__.py", line 11504, in ProcessGAMCommand
File "gam/__init__.py", line 9045, in doGetUserInfo
KeyError: 'type'
[32043] Failed to execute script '__main__' due to unhandled exception!
I don't know how I managed to create user custom schema multivalue data without a type, but somehow I did (or maybe GAM is dropping the type?) and I was unable to retrieve user info for those users without passing noschemas or schemas X,Y where the problematic AWS_SAML schemas was omitted.
Alexander,
Please show the schema: gam info schema AWS_SAML
Ross
@.***
On May 2, 2022, at 8:51 AM, Alexander Dupuy @.***> wrote:
I have upgraded to the latest GAM release from https://github.com/GAM-team/GAM/releases https://github.com/GAM-team/GAM/releases and I still have this issue. I am typing the command as described in the GAM Wiki at https://github.com/jay0lee/gam/wiki https://github.com/jay0lee/gam/wiki Full steps to reproduce the issue:
Create a user some.user with a custom schema (and somehow not set type: work?) Run gam info user some.user Expected outcome (what are you trying to do?):
Get user info with custom schema
Actual outcome (what errors or bad behavior do you see instead?):
gam info user some.user User: @.*** First Name: Some Last Name: User ... Custom Schemas: Schema: AutoProvSFAttribs SFEntitlements: type: work value: 00e2o000001d99U
Schema: AWS_SAML role: Traceback (most recent call last): File "gam/main.py", line 49, in
File "gam/main.py", line 44, in main File "gam/init.py", line 11504, in ProcessGAMCommand File "gam/init.py", line 9045, in doGetUserInfo KeyError: 'type' [32043] Failed to execute script 'main' due to unhandled exception! I don't know how I managed to create user custom schema multivalue data without a type, but somehow I did (or maybe GAM is dropping the type?) and I was unable to retrieve user info for those users without passing noschemas or schemas X,Y where the problematic AWS_SAML schemas was omitted. — Reply to this email directly, view it on GitHub https://github.com/GAM-team/GAM/issues/1519, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYLZGKPDCQHHFKL5XT4LVH72W3ANCNFSM5U4LURYA. You are receiving this because you are subscribed to this thread.
I submitted PR #1520 to handle this case. You can set a multivalued field to have no type. Google seems to change the type to work in the background but I haven't completely figured out the conditions under which it happens.
Yes, it seems to have been a race condition, I was seeing it when I added a prior call to gam print user query email:$USER before issuing the update.
I don't have access to the schema myself:
ERROR: 403: Not Authorized to access this resource/api - forbidden
but this is a pretty much standard schema used when you use Google SSO as the identity provider for AWS logins, and the whole thing is described in detail in an AWS blog post.
Here's an example output from gam info user (with identifying details obscured):
Schema: AWS_SAML
role:
type: work
value: arn:aws:iam::999999999999:role/users/some-role,arn:aws:iam::999999999999:saml-provider/google
type: work
value: arn:aws:iam::999999999999:role/users/another-role,arn:aws:iam::999999999999:saml-provider/google
session-duration: 3600
One thing to note is that the Google background refresh was somehow bollixed by the race condition I created, and the type was never updated. I had to clear the attribute entirely with gam update user clearschema AWS_SAML.role and then update it with the correct value again to clear the problem.
It might be worth adding a warning when this happens and work is returned instead, since the null type state could cause problems for other applications using the Google Workspace API that don't also have a workaround for this case.