AWS IAM Identity Center group push is failing with the following errors visible in the Okta system log:
Changes to the Group push mapping for the group <group> could not take effect due to error: Error while creating user group <group>: Unauthorized
Changes to the Group push mapping for the group<group> could not take effect due to error: Error while trying to get the group <group> with the externalId <externalID> and id com.saasure.db.dto.platform.entity.AppGroup@3d94a15b[status=ACTIVE,name=<name>,description=<description>,externalId=<externalID>,appInstanceId=<appInstanceID>,userGroupId=<userGroupID>,oktaMastered=true,pushed=false,changeStatus=<null>,data=<null>,objectClass=,externalIdAndInstanceKey=<externalIDAndInstanceKey>,objectClassList=[]]: Unauthorized
- AWS IAM Identity Center
- Provisioning
- Group Push
The API token used for provisioning has expired.
Work with the AWS administrator or AWS Support team to either generate a new SCIM API access token or rotate the expired access token on the AWS side, following AWS documentation: Automatic Provisioning - AWS IAM Identity Center.
- Access the Okta Admin Console.
- Navigate to the AWS app > Provisioning > Integration.
- Click Edit.
- Copy the newly-generated valid AWS SCIM API Access token and replace the old invalid AWS SCIM API token with the new valid AWS SCIM API token.
- Click the Test API Credentials button again and ensure it verifies successfully.
- Once verified, click Save.
- Navigate to the Group Push tab, and click Push Now to re-attempt the group push. Confirm that the push group has been successfully pushed.
