How do I resolve the IAM error "Cannot perform the operation on the protected role AWSReservedSSO"?

Short description

When you use the IAM console to try to modify a role name that begins with "AWSReservedSSO", you might receive the following error:

"Cannot perform the operation on the protected role 'AWSReservedSSO_RoleName_Here' - this role is only modifiable by AWS"

Resolution

You can't use the IAM console to modify roles that begin with "AWSReservedSSO". You must use the AWS IAM Identity Center console to modify roles that begin with "AWSReservedSSO".

For more information, see I get a ‘Cannot perform the operation on the protected role' error when modifying an IAM role.

Follow these steps to use the IAM Identity Center console to either edit an inline policy or attach a customer managed policy.

Note: Make sure that your policy has the required permissions in your AWS Organizations member account.

Option 1: Edit an inline policy

1. Open the IAM Identity Center console with your Organizations management account.
2. In the navigation pane, expand Multi-account permissions, and then choose Permission sets.
3. In Permission sets, choose the permission set that you want to modify.
4. In Inline policy, choose Edit.
5. In the JSON document editor, enter an inline policy to allow permissions for your use case, and then choose Save changes.

Option 2: Attach a customer managed policy

1. Open the IAM Identity Center console with your Organizations management account.
2. In the navigation pane, expand Multi-account permissions, and then choose Permission sets.
3. In Permission sets, choose the permission set that you want to attach the managed policy to.
4. In Customer managed policies, choose Attach policies.
5. In policy names, enter the name of the managed policy in your member account, and then choose Attach policies.

Related information

How do I use IAM Identity Center permission sets?

Single sign-on access to AWS accounts