I'm using the same SSO Role in the same account to create a an SSO Permission set. It works in Console but not from CLI. I'm using AdministrationAccess managed policy. Checked with IAM Policy simulator and it should work.
This is the CLI
`aws sso-admin create-permission-set --name test --instance-arn 'arn:aws:sso:::instance/ssoins-1234567c07aa927c'
An error occurred (AccessDeniedException) when calling the CreatePermissionSet operation: User: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_d856d636dbae8a64/admin_XXX is not authorized to perform: sso:CreatePermissionSet`
In addition it needs to run in the same region as the region where the SSO was created