AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I resolve the "Cannot perform the operation on the protected role AWSReservedSSO" IAM error?

2 minute read

I want to use the AWS Identity and Access Management (IAM) console to modify a role name that begins with "AWSReservedSSO", but I receive an error.

Resolution

When you use the IAM console to modify a role name that begins with AWSReservedSSO, you might receive the following error:
"Cannot perform the operation on the protected role 'AWSReservedSSO_RoleName_Here' - this role is only modifiable by AWS"

To modify roles that begin with AWSReservedSSO, you must use the AWS IAM Identity Center console, instead of the IAM console. For more information, see I get a ‘Cannot perform the operation on the protected role' error when modifying an IAM role.

To use the IAM Identity Center console to modify the role name, either edit an inline policy or attach a customer managed policy.
Note: Make sure that your policy has the required permissions in your AWS Organizations member account.

Option 1: Edit an inline policy

Complete the following steps:

Open the IAM Identity Center console.
Note: Make sure that you're logged in with your Organizations management account.
In the navigation pane, under Multi-account permissions, choose Permission sets.
Choose the permission set that you want to modify.
In Inline policy, choose Edit.
In the JSON document editor, enter an inline policy to give permissions for your use case.
Choose Save changes.

Option 2: Attach a customer managed policy

Complete the following steps:

Open the IAM Identity Center console.
Note: Make sure that you're logged in with your Organizations management account.
In the navigation pane, under Multi-account permissions, choose Permission sets.
Choose the permission set that you want to attach the managed policy to.
In Customer managed policies, choose Attach policies.
Note: You must have an IAM policy that matches the name and path in each AWS account where you want to deploy your permission set.
In policy names, enter the name of the managed policy in your member account.
Choose Attach policies.

Related information

How do I use IAM Identity Center permission sets?

Single sign-on access to AWS accounts

Topics: Security, Identity, & Compliance
Tags: AWS IAM Identity Center
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

tagging a AWSReservedSSO role wit SSMSessionRunAs
Dario Vernelli
asked 3 years ago
Errors attaching policies to the role
Accepted Answer
TAAli
asked 4 years ago
An error occurred (AccessDeniedException) when calling the CreateCluster operation: Cross-account pass role is not allowed.
Rohit Jha
asked a year ago
Lambda function cannot set the IAM Role on a new EC2 instance
JonCard
asked 3 years ago
(InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda
rePost-User-8626756
asked 3 years ago
How do I resolve the IAM user error "not authorized to perform iam:PassRole"?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot the CloudFormation error "The role defined for the function cannot be assumed by Lambda"?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot the "User/IAM role X is not authorized to perform Y on resource Z" error in AWS Glue?
AWS OFFICIALUpdated 3 years ago
How do I resolve the "Role [role_arn] is invalid or cannot be assumed" error when I update or delete a CloudFormation stack?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot when User: arn is no authorized to perform Create * or Delete * or Update * on resource(s) because no identity- policy allows the actions
EXPERT
Priyanka Y
published a year ago