idpscimcli is the helper command-line program used to validate and inspect the same systems that idpscim synchronizes.
Use it when you want to answer questions such as:
- Can I reach the AWS IAM Identity Center SCIM endpoint?
- Which groups or users currently exist in AWS SCIM?
- Which Google Workspace groups match my filters?
- Which members are inside those groups?
| Item | Location |
|---|---|
| Source entry point | cmd/idpscimcli/main.go |
| Local binary | build/idpscimcli |
The current command surface is:
idpscimcli
|- aws
| |- service config
| |- groups list
| `- users list
`- gws
|- groups list
|- groups members list
`- users list
These flags apply to the whole CLI:
| Flag | Purpose |
|---|---|
--config-file, -c |
Path to the configuration file |
--debug, -d |
Enable debug logging |
--log-format, -f |
Log output format |
--log-level, -l |
Log verbosity |
--output-format |
Output format: json or yaml |
--timeout |
Request timeout for API calls |
--version, -v |
Show version information |
Use the aws command group to inspect the AWS IAM Identity Center SCIM API.
| Flag | Purpose |
|---|---|
--aws-scim-endpoint, -e |
AWS IAM Identity Center SCIM endpoint |
--aws-scim-access-token, -t |
AWS IAM Identity Center SCIM access token |
| Command | Purpose |
|---|---|
idpscimcli aws service config |
Show SCIM service provider configuration |
idpscimcli aws groups list |
List groups from the AWS SCIM API |
idpscimcli aws users list |
List users from the AWS SCIM API |
Show SCIM service configuration:
./build/idpscimcli aws service config \
--aws-scim-endpoint https://example.awsapps.com/scim/v2/ \
--aws-scim-access-token "$SCIM_ACCESS_TOKEN"List groups with a SCIM filter:
./build/idpscimcli aws groups list \
--aws-scim-endpoint https://example.awsapps.com/scim/v2/ \
--aws-scim-access-token "$SCIM_ACCESS_TOKEN" \
--filter 'displayName eq "Engineering"'List users:
./build/idpscimcli aws users list \
--aws-scim-endpoint https://example.awsapps.com/scim/v2/ \
--aws-scim-access-token "$SCIM_ACCESS_TOKEN"Use the gws command group to inspect Google Workspace objects with the same credentials model used by the main sync program.
| Flag | Purpose |
|---|---|
--gws-service-account-file, -s |
Path to the Google Workspace service account JSON |
--gws-user-email, -u |
Delegated Google Workspace user email |
| Command | Purpose |
|---|---|
idpscimcli gws groups list |
List groups that match the provided group filters |
idpscimcli gws groups members list |
List the members of the groups that match the filters |
idpscimcli gws users list |
List users that match the provided user filters |
| Command | Flag |
|---|---|
gws groups list |
--gws-groups-filter, -q |
gws groups members list |
--gws-groups-filter, -q |
gws users list |
--gws-users-filter, -r |
List groups:
./build/idpscimcli gws groups list \
--gws-service-account-file credentials.json \
--gws-user-email admin@example.com \
--gws-groups-filter 'name=AWS*'List members of matching groups:
./build/idpscimcli gws groups members list \
--gws-service-account-file credentials.json \
--gws-user-email admin@example.com \
--gws-groups-filter 'email=aws-admins@example.com'List users:
./build/idpscimcli gws users list \
--gws-service-account-file credentials.json \
--gws-user-email admin@example.com \
--gws-users-filter 'email=alice@example.com'Return YAML instead of JSON:
./build/idpscimcli gws groups list \
--gws-service-account-file credentials.json \
--gws-user-email admin@example.com \
--gws-groups-filter 'name=AWS*' \
--output-format yamlBuild the binary locally:
make build
./build/idpscimcli --helpCross-compile for distribution:
make build-distBuild the image locally:
make build-dist
GIT_VERSION=test make container-buildRun the CLI from the image:
podman run --rm -it \
-v "$PWD/.idpscim.yaml:/app/.idpscim.yaml:ro" \
ghcr.io/slashdevops/idp-scim-sync:latest \
idpscimcli --config-file .idpscim.yaml