Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to have management account as target of SSO Assignment Group #66

Open
eduardomourar opened this issue Jan 20, 2021 · 0 comments
Open

Unable to have management account as target of SSO Assignment Group #66

eduardomourar opened this issue Jan 20, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@eduardomourar
Copy link
Member

If you have the management account as your target, the following error happens in Community::SSO::AssignmentGroup resource type v0.3.1:

Error: Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::123456789012:assumed-role/community-sso-assignmentgroup-resour-ExecutionRole/1111 is not authorized to perform: iam:ListRolePolicies on resource: role AWSReservedSSO_Viewer_1111 (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 1111; Proxy: null): 1111, 123456789012 arn:aws:sso:::permissionSet/ssoins-1111/ps-1111

I gave the resource type execution role with full permission to account and that still did not work.

As a workaround, I used the native type AWS::SSO::Assignment just for the management account.
@eduardomourar eduardomourar added the bug Something isn't working label Jan 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eduardomourar