Getting AccessDeniedException from Lambda function when calling AWS SSO Permission set

Question

Following is my Python code to add/update an inline policy for an AWS SSO permission set:

# In actual code adding escape characters 
Inline_Policy=" 
   "Version": "2012-10-17",
   "Statement": [
        {
          "Action": [
                     "s3:Get*",  
                      "s3:List*"
            ],
    "Effect": "Allow",
    "Resource": "*"
   }
] "

response = client.put_inline_policy_to_permission_set(
InstanceArn='arn:aws:sso:::instance/ssoins-sssss',
PermissionSetArn='arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss',
InlinePolicy=Inline_Policy)

I am getting the error:

"errorMessage": "An error occurred (AccessDeniedException) when calling the PutInlinePolicyToPermissionSet operation: User: arn:aws:sts::ddddddd:assumed-role/Modify_Permission_Set-role-ssss/Modify_Permission_Set is not authorized to perform: sso:PutInlinePolicyToPermissionSet on resource: arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss"

I tried adding the Admin policy for the Lambda role executing the function and I still get permission denied.

Is there a different way to handle SSO permission sets than regular IAM permissions?

Admin Policy attached to Lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Can you please add the policies that the current Lambda role has (text + screenshot(if possible))? — Ermiya Eskandary, Dec 06 '21 at 20:51
I have an admin policy attached to my Lambda : { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } — PiaklA, Dec 06 '21 at 20:53
That policy will allow you to do anything **unless* something else is blocking it - can you please add a screenshot of **all** the policies currently attached to the Lambda role? Another policy may be blocking the above action. — Ermiya Eskandary, Dec 06 '21 at 20:55
That is the only policy I have ( the one I shared earlier) I checked again. It does not have any other IAM policy attached to it. — PiaklA, Dec 06 '21 at 21:01
Do you have access to the permission set? To the instance? Can you try to do this manually via the console? Does it work? — Ermiya Eskandary, Dec 06 '21 at 21:05

score 0 · Answer 1 · answered Dec 07 '21 at 10:58

0

Have you checked if there is a Service Control Policy (SCP) denying access to SSO which applies to your account or Organizational Unit (OU) please? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

answered Dec 07 '21 at 10:58

Georgios Goniotakis

11
3

score 0 · Answer 2 · answered Dec 05 '22 at 01:52

It is likely due to your region if you have ensured that the policy and permissions are correct.

Make sure you are defining the sso client to the region where your SSO or Identity Center is activated

e.g. for Python sso = boto3.client('sso-admin', region_name='deployed_sso_region')

Getting AccessDeniedException from Lambda function when calling AWS SSO Permission set

2 Answers2