1

Following is my Python code to add/update an inline policy for an AWS SSO permission set:

# In actual code adding escape characters 
Inline_Policy=" 
   "Version": "2012-10-17",
   "Statement": [
        {
          "Action": [
                     "s3:Get*",  
                      "s3:List*"
            ],
    "Effect": "Allow",
    "Resource": "*"
   }
] "

response = client.put_inline_policy_to_permission_set(
InstanceArn='arn:aws:sso:::instance/ssoins-sssss',
PermissionSetArn='arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss',
InlinePolicy=Inline_Policy)

I am getting the error:

"errorMessage": "An error occurred (AccessDeniedException) when calling the PutInlinePolicyToPermissionSet operation: User: arn:aws:sts::ddddddd:assumed-role/Modify_Permission_Set-role-ssss/Modify_Permission_Set is not authorized to perform: sso:PutInlinePolicyToPermissionSet on resource: arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss"

I tried adding the Admin policy for the Lambda role executing the function and I still get permission denied.

Is there a different way to handle SSO permission sets than regular IAM permissions?

Admin Policy attached to Lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
Improve this question
6
  • Can you please add the policies that the current Lambda role has (text + screenshot(if possible))? Commented Dec 6, 2021 at 20:51
  • I have an admin policy attached to my Lambda : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" } ] } Commented Dec 6, 2021 at 20:53
  • That policy will allow you to do anything unless* something else is blocking it - can you please add a screenshot of **all the policies currently attached to the Lambda role? Another policy may be blocking the above action. Commented Dec 6, 2021 at 20:55
  • That is the only policy I have ( the one I shared earlier) I checked again. It does not have any other IAM policy attached to it. Commented Dec 6, 2021 at 21:01
  • Do you have access to the permission set? To the instance? Can you try to do this manually via the console? Does it work? Commented Dec 6, 2021 at 21:05

2 Answers 2

Reset to default
1

It is likely due to your region if you have ensured that the policy and permissions are correct.

Make sure you are defining the sso client to the region where your SSO or Identity Center is activated

e.g. for Python sso = boto3.client('sso-admin', region_name='deployed_sso_region')

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Have you checked if there is a Service Control Policy (SCP) denying access to SSO which applies to your account or Organizational Unit (OU) please? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.