2025/12/08 - AWS SSO Identity Store - 3 updated api methods
Changes Updating AWS Identity Store APIs to support Attribute Extensions capability, with the first release adding Enterprise Attributes. This launch aligns Identity Store APIs with SCIM for enterprise attributes, reducing cases when customers are forced to use SCIM due to lack of SigV4 API support.
{'Extensions': {'string': {}}}
Creates a user within the specified identity store.
See also: AWS API Documentation
Request Syntax
client.create_user(
IdentityStoreId='string',
UserName='string',
Name={
'Formatted': 'string',
'FamilyName': 'string',
'GivenName': 'string',
'MiddleName': 'string',
'HonorificPrefix': 'string',
'HonorificSuffix': 'string'
},
DisplayName='string',
NickName='string',
ProfileUrl='string',
Emails=[
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
Addresses=[
{
'StreetAddress': 'string',
'Locality': 'string',
'Region': 'string',
'PostalCode': 'string',
'Country': 'string',
'Formatted': 'string',
'Type': 'string',
'Primary': True|False
},
],
PhoneNumbers=[
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
UserType='string',
Title='string',
PreferredLanguage='string',
Locale='string',
Timezone='string',
Photos=[
{
'Value': 'string',
'Type': 'string',
'Display': 'string',
'Primary': True|False
},
],
Website='string',
Birthdate='string',
Extensions={
'string': {...}|[...]|123|123.4|'string'|True|None
}
)
string
[REQUIRED]
The globally unique identifier for the identity store.
string
A unique string used to identify the user. The length limit is 128 characters. This value can consist of letters, accented characters, symbols, numbers, and punctuation. This value is specified at the time the user is created and stored as an attribute of the user object in the identity store. Administrator and AWSAdministrators are reserved names and can't be used for users or groups.
dict
An object containing the name of the user. When used in IAM Identity Center, this parameter is required.
Formatted (string) --
A string containing a formatted version of the name for display.
FamilyName (string) --
The family name of the user.
GivenName (string) --
The given name of the user.
MiddleName (string) --
The middle name of the user.
HonorificPrefix (string) --
The honorific prefix of the user. For example, "Dr."
HonorificSuffix (string) --
The honorific suffix of the user. For example, "M.D."
string
A string containing the name of the user. This value is typically formatted for display when the user is referenced. For example, "John Doe." When used in IAM Identity Center, this parameter is required.
string
A string containing an alternate name for the user.
string
A string containing a URL that might be associated with the user.
list
A list of Email objects containing email addresses associated with the user.
(dict) --
The email address associated with the user.
Value (string) --
A string containing an email address. For example, "johndoe@amazon.com."
Type (string) --
A string representing the type of address. For example, "Work."
Primary (boolean) --
A Boolean value representing whether this is the primary email address for the associated resource.
list
A list of Address objects containing addresses associated with the user.
(dict) --
The address associated with the specified user.
StreetAddress (string) --
The street of the address.
Locality (string) --
A string of the address locality.
Region (string) --
The region of the address.
PostalCode (string) --
The postal code of the address.
Country (string) --
The country of the address.
Formatted (string) --
A string containing a formatted version of the address for display.
Type (string) --
A string representing the type of address. For example, "Home."
Primary (boolean) --
A Boolean value representing whether this is the primary address for the associated resource.
list
A list of PhoneNumber objects containing phone numbers associated with the user.
(dict) --
The phone number associated with the user.
Value (string) --
A string containing a phone number. For example, "8675309" or "+1 (800) 123-4567".
Type (string) --
A string representing the type of a phone number. For example, "Mobile."
Primary (boolean) --
A Boolean value representing whether this is the primary phone number for the associated resource.
string
A string indicating the type of user. Possible values are left unspecified. The value can vary based on your specific use case.
string
A string containing the title of the user. Possible values are left unspecified. The value can vary based on your specific use case.
string
A string containing the preferred language of the user. For example, "American English" or "en-us."
string
A string containing the geographical region or location of the user.
string
A string containing the time zone of the user.
list
A list of photos associated with the user. You can add up to 3 photos per user. Each photo can include a value, type, display name, and primary designation.
(dict) --
Contains information about a user's photo. Users can have up to 3 photos, with one designated as primary. Supports common image formats, including jpg, jpeg, png, and gif.
Value (string) -- [REQUIRED]
The photo data or URL. Supported formats include jpg, jpeg, png, and gif. This field is required for all photo entries.
Type (string) --
The type of photo. This field is optional and can be used to categorize different types of photos.
Display (string) --
A human-readable description of the photo for display purposes. This optional field provides context about the photo.
Primary (boolean) --
Specifies whether this is the user's primary photo. Default value is false. Only one photo can be designated as primary per user.
string
The user's personal website or blog URL. This field allows users to provide a link to their personal or professional website.
string
The user's birthdate in YYYY-MM-DD format. This field supports standard date format for storing personal information.
dict
A map with additional attribute extensions for the user. Each map key corresponds to an extension name, while map values represent extension data in Document type (not supported by Java V1, Go V1 and older versions of the CLI). aws:identitystore:enterprise is the only supported extension name.
(string) --
(:ref:`document<document>`) --
The value of the attribute. This is a Document type. This type is not supported by Java V1, Go V1, and older versions of the CLI.
dict
Response Syntax
{
'IdentityStoreId': 'string',
'UserId': 'string'
}
Response Structure
(dict) --
IdentityStoreId (string) --
The globally unique identifier for the identity store.
UserId (string) --
The identifier of the newly created user in the identity store.
{'Extensions': ['string']}
Response {'Extensions': {'string': {}}}
Retrieves the user metadata and attributes from the UserId in an identity store.
See also: AWS API Documentation
Request Syntax
client.describe_user(
IdentityStoreId='string',
UserId='string',
Extensions=[
'string',
]
)
string
[REQUIRED]
The globally unique identifier for the identity store, such as d-1234567890. In this example, d- is a fixed prefix, and 1234567890 is a randomly generated string that contains numbers and lower case letters. This value is generated at the time that a new identity store is created.
string
[REQUIRED]
The identifier for a user in the identity store.
list
A collection of extension names indicating what extensions the service should retrieve alongside other user attributes. aws:identitystore:enterprise is the only supported extension name.
(string) --
dict
Response Syntax
{
'IdentityStoreId': 'string',
'UserId': 'string',
'UserName': 'string',
'ExternalIds': [
{
'Issuer': 'string',
'Id': 'string'
},
],
'Name': {
'Formatted': 'string',
'FamilyName': 'string',
'GivenName': 'string',
'MiddleName': 'string',
'HonorificPrefix': 'string',
'HonorificSuffix': 'string'
},
'DisplayName': 'string',
'NickName': 'string',
'ProfileUrl': 'string',
'Emails': [
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
'Addresses': [
{
'StreetAddress': 'string',
'Locality': 'string',
'Region': 'string',
'PostalCode': 'string',
'Country': 'string',
'Formatted': 'string',
'Type': 'string',
'Primary': True|False
},
],
'PhoneNumbers': [
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
'UserType': 'string',
'Title': 'string',
'PreferredLanguage': 'string',
'Locale': 'string',
'Timezone': 'string',
'UserStatus': 'ENABLED'|'DISABLED',
'Photos': [
{
'Value': 'string',
'Type': 'string',
'Display': 'string',
'Primary': True|False
},
],
'Website': 'string',
'Birthdate': 'string',
'CreatedAt': datetime(2015, 1, 1),
'CreatedBy': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'UpdatedBy': 'string',
'Extensions': {
'string': {...}|[...]|123|123.4|'string'|True|None
}
}
Response Structure
(dict) --
IdentityStoreId (string) --
The globally unique identifier for the identity store.
UserId (string) --
The identifier for a user in the identity store.
UserName (string) --
A unique string used to identify the user. The length limit is 128 characters. This value can consist of letters, accented characters, symbols, numbers, and punctuation. This value is specified at the time the user is created and stored as an attribute of the user object in the identity store.
ExternalIds (list) --
A list of ExternalId objects that contains the identifiers issued to this resource by an external identity provider.
(dict) --
The identifier issued to this resource by an external identity provider.
Issuer (string) --
The issuer for an external identifier.
Id (string) --
The identifier issued to this resource by an external identity provider.
Name (dict) --
The name of the user.
Formatted (string) --
A string containing a formatted version of the name for display.
FamilyName (string) --
The family name of the user.
GivenName (string) --
The given name of the user.
MiddleName (string) --
The middle name of the user.
HonorificPrefix (string) --
The honorific prefix of the user. For example, "Dr."
HonorificSuffix (string) --
The honorific suffix of the user. For example, "M.D."
DisplayName (string) --
The display name of the user.
NickName (string) --
An alternative descriptive name for the user.
ProfileUrl (string) --
A URL link for the user's profile.
Emails (list) --
The email address of the user.
(dict) --
The email address associated with the user.
Value (string) --
A string containing an email address. For example, "johndoe@amazon.com."
Type (string) --
A string representing the type of address. For example, "Work."
Primary (boolean) --
A Boolean value representing whether this is the primary email address for the associated resource.
Addresses (list) --
The physical address of the user.
(dict) --
The address associated with the specified user.
StreetAddress (string) --
The street of the address.
Locality (string) --
A string of the address locality.
Region (string) --
The region of the address.
PostalCode (string) --
The postal code of the address.
Country (string) --
The country of the address.
Formatted (string) --
A string containing a formatted version of the address for display.
Type (string) --
A string representing the type of address. For example, "Home."
Primary (boolean) --
A Boolean value representing whether this is the primary address for the associated resource.
PhoneNumbers (list) --
A list of PhoneNumber objects associated with a user.
(dict) --
The phone number associated with the user.
Value (string) --
A string containing a phone number. For example, "8675309" or "+1 (800) 123-4567".
Type (string) --
A string representing the type of a phone number. For example, "Mobile."
Primary (boolean) --
A Boolean value representing whether this is the primary phone number for the associated resource.
UserType (string) --
A string indicating the type of user.
Title (string) --
A string containing the title of the user.
PreferredLanguage (string) --
The preferred language of the user.
Locale (string) --
A string containing the geographical region or location of the user.
Timezone (string) --
The time zone for a user.
UserStatus (string) --
The current status of the user account.
Photos (list) --
A list of photos associated with the user. Returns up to 3 photos with their associated metadata including type, display name, and primary designation.
(dict) --
Contains information about a user's photo. Users can have up to 3 photos, with one designated as primary. Supports common image formats, including jpg, jpeg, png, and gif.
Value (string) --
The photo data or URL. Supported formats include jpg, jpeg, png, and gif. This field is required for all photo entries.
Type (string) --
The type of photo. This field is optional and can be used to categorize different types of photos.
Display (string) --
A human-readable description of the photo for display purposes. This optional field provides context about the photo.
Primary (boolean) --
Specifies whether this is the user's primary photo. Default value is false. Only one photo can be designated as primary per user.
Website (string) --
The user's personal website or blog URL. Returns the stored website information for the user.
Birthdate (string) --
The user's birthdate in YYYY-MM-DD format. This field returns the stored birthdate information for the user.
CreatedAt (datetime) --
The date and time the user was created.
CreatedBy (string) --
The identifier of the user or system that created the user.
UpdatedAt (datetime) --
The date and time the user was last updated.
UpdatedBy (string) --
The identifier of the user or system that last updated the user.
Extensions (dict) --
A map of explicitly requested attribute extensions associated with the user. Not populated if the user has no requested extensions.
(string) --
(:ref:`document<document>`) --
The value of the attribute. This is a Document type. This type is not supported by Java V1, Go V1, and older versions of the CLI.
{'Extensions': ['string']}
Response {'Users': {'Extensions': {'string': {}}}}
Lists all users in the identity store. Returns a paginated list of complete User objects. Filtering for a User by the UserName attribute is deprecated. Instead, use the GetUserId API action.
See also: AWS API Documentation
Request Syntax
client.list_users(
IdentityStoreId='string',
Extensions=[
'string',
],
MaxResults=123,
NextToken='string',
Filters=[
{
'AttributePath': 'string',
'AttributeValue': 'string'
},
]
)
string
[REQUIRED]
The globally unique identifier for the identity store, such as d-1234567890. In this example, d- is a fixed prefix, and 1234567890 is a randomly generated string that contains numbers and lower case letters. This value is generated at the time that a new identity store is created.
list
A collection of extension names indicating what extensions the service should retrieve alongside other user attributes. aws:identitystore:enterprise is the only supported extension name.
(string) --
integer
The maximum number of results to be returned per request. This parameter is used in the ListUsers and ListGroups requests to specify how many results to return in one page. The length limit is 50 characters.
string
The pagination token used for the ListUsers and ListGroups API operations. This value is generated by the identity store service. It is returned in the API response if the total results are more than the size of one page. This token is also returned when it is used in the API request to search for the next page.
list
A list of Filter objects, which is used in the ListUsers and ListGroups requests.
(dict) --
A query filter used by ListUsers and ListGroups. This filter object provides the attribute name and attribute value to search users or groups.
AttributePath (string) -- [REQUIRED]
The attribute path that is used to specify which attribute name to search. Length limit is 255 characters. For example, UserName is a valid attribute path for the ListUsers API, and DisplayName is a valid attribute path for the ListGroups API.
AttributeValue (string) -- [REQUIRED]
Represents the data for an attribute. Each attribute value is described as a name-value pair.
dict
Response Syntax
{
'Users': [
{
'IdentityStoreId': 'string',
'UserId': 'string',
'UserName': 'string',
'ExternalIds': [
{
'Issuer': 'string',
'Id': 'string'
},
],
'Name': {
'Formatted': 'string',
'FamilyName': 'string',
'GivenName': 'string',
'MiddleName': 'string',
'HonorificPrefix': 'string',
'HonorificSuffix': 'string'
},
'DisplayName': 'string',
'NickName': 'string',
'ProfileUrl': 'string',
'Emails': [
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
'Addresses': [
{
'StreetAddress': 'string',
'Locality': 'string',
'Region': 'string',
'PostalCode': 'string',
'Country': 'string',
'Formatted': 'string',
'Type': 'string',
'Primary': True|False
},
],
'PhoneNumbers': [
{
'Value': 'string',
'Type': 'string',
'Primary': True|False
},
],
'UserType': 'string',
'Title': 'string',
'PreferredLanguage': 'string',
'Locale': 'string',
'Timezone': 'string',
'UserStatus': 'ENABLED'|'DISABLED',
'Photos': [
{
'Value': 'string',
'Type': 'string',
'Display': 'string',
'Primary': True|False
},
],
'Website': 'string',
'Birthdate': 'string',
'CreatedAt': datetime(2015, 1, 1),
'CreatedBy': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'UpdatedBy': 'string',
'Extensions': {
'string': {...}|[...]|123|123.4|'string'|True|None
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Users (list) --
A list of User objects in the identity store.
(dict) --
A user object that contains the metadata and attributes for a specified user.
IdentityStoreId (string) --
The globally unique identifier for the identity store.
UserId (string) --
The identifier for a user in the identity store.
UserName (string) --
A unique string used to identify the user. The length limit is 128 characters. This value can consist of letters, accented characters, symbols, numbers, and punctuation. This value is specified at the time the user is created and stored as an attribute of the user object in the identity store.
ExternalIds (list) --
A list of ExternalId objects that contains the identifiers issued to this resource by an external identity provider.
(dict) --
The identifier issued to this resource by an external identity provider.
Issuer (string) --
The issuer for an external identifier.
Id (string) --
The identifier issued to this resource by an external identity provider.
Name (dict) --
An object containing the name of the user.
Formatted (string) --
A string containing a formatted version of the name for display.
FamilyName (string) --
The family name of the user.
GivenName (string) --
The given name of the user.
MiddleName (string) --
The middle name of the user.
HonorificPrefix (string) --
The honorific prefix of the user. For example, "Dr."
HonorificSuffix (string) --
The honorific suffix of the user. For example, "M.D."
DisplayName (string) --
A string containing the name of the user that is formatted for display when the user is referenced. For example, "John Doe."
Prefix search supports a maximum of 1,000 characters for the string.
NickName (string) --
A string containing an alternate name for the user.
ProfileUrl (string) --
A string containing a URL that might be associated with the user.
Emails (list) --
A list of Email objects containing email addresses associated with the user.
(dict) --
The email address associated with the user.
Value (string) --
A string containing an email address. For example, "johndoe@amazon.com."
Type (string) --
A string representing the type of address. For example, "Work."
Primary (boolean) --
A Boolean value representing whether this is the primary email address for the associated resource.
Addresses (list) --
A list of Address objects containing addresses associated with the user.
(dict) --
The address associated with the specified user.
StreetAddress (string) --
The street of the address.
Locality (string) --
A string of the address locality.
Region (string) --
The region of the address.
PostalCode (string) --
The postal code of the address.
Country (string) --
The country of the address.
Formatted (string) --
A string containing a formatted version of the address for display.
Type (string) --
A string representing the type of address. For example, "Home."
Primary (boolean) --
A Boolean value representing whether this is the primary address for the associated resource.
PhoneNumbers (list) --
A list of PhoneNumber objects containing phone numbers associated with the user.
(dict) --
The phone number associated with the user.
Value (string) --
A string containing a phone number. For example, "8675309" or "+1 (800) 123-4567".
Type (string) --
A string representing the type of a phone number. For example, "Mobile."
Primary (boolean) --
A Boolean value representing whether this is the primary phone number for the associated resource.
UserType (string) --
A string indicating the type of user. Possible values are left unspecified. The value can vary based on your specific use case.
Title (string) --
A string containing the title of the user. Possible values are left unspecified. The value can vary based on your specific use case.
PreferredLanguage (string) --
A string containing the preferred language of the user. For example, "American English" or "en-us."
Locale (string) --
A string containing the geographical region or location of the user.
Timezone (string) --
A string containing the time zone of the user.
UserStatus (string) --
The current status of the user account.
Photos (list) --
A list of photos associated with the user. Users can have up to 3 photos with metadata including type, display name, and primary designation.
(dict) --
Contains information about a user's photo. Users can have up to 3 photos, with one designated as primary. Supports common image formats, including jpg, jpeg, png, and gif.
Value (string) --
The photo data or URL. Supported formats include jpg, jpeg, png, and gif. This field is required for all photo entries.
Type (string) --
The type of photo. This field is optional and can be used to categorize different types of photos.
Display (string) --
A human-readable description of the photo for display purposes. This optional field provides context about the photo.
Primary (boolean) --
Specifies whether this is the user's primary photo. Default value is false. Only one photo can be designated as primary per user.
Website (string) --
The user's personal website or blog URL. This field stores website information for personal or professional use.
Birthdate (string) --
The user's birthdate in YYYY-MM-DD format. This field stores personal birthdate information for the user.
CreatedAt (datetime) --
The date and time the user was created.
CreatedBy (string) --
The identifier of the user or system that created the user.
UpdatedAt (datetime) --
The date and time the user was last updated.
UpdatedBy (string) --
The identifier of the user or system that last updated the user.
Extensions (dict) --
A map of explicitly requested attribute extensions associated with the user. Not populated if the user has no requested extensions.
(string) --
(:ref:`document<document>`) --
The value of the attribute. This is a Document type. This type is not supported by Java V1, Go V1, and older versions of the CLI.
NextToken (string) --
The pagination token used for the ListUsers and ListGroups API operations. This value is generated by the identity store service. It is returned in the API response if the total results are more than the size of one page. This token is also returned when it is used in the API request to search for the next page.