Why can't the root user change MFA rules on a rule?
I'm in a cognito user pool configuration, and I tried to change the MFA requirement on the pool to allow TOTP. It gave me this error:
[AccessDeniedException] Failed to update MFA configuration for us-east-1_FLnPt9UKE requestId: 0660fb15-2cc4-4f63-9c8f-657b71b320d9 time: Sat May 21 2022 16:16:18 GMT-0400 (Eastern Daylight Time) code: AccessDeniedException message: User: arn:aws:iam::384426254369:root is not authorized to perform: iam:PassRole on resource: > arn:aws:iam::745623467555:role/cognito_sms_role because no resource-based policy allows the iam:PassRole > action
I'm confused because I am logged into the console as the root user, which should have permission to EVERYTHING. I do not, however, really have a role named "cognito_sms_role." Is that the problem? If so, how do I fix it?
- 최신
- 최다 투표
- 가장 많은 댓글
The AWS account numbers are different in the two resources: 384426254369 for the root account user, and 745623467555 on the role. This means that your root user doesn't have permissions to change the role, since it's outside the account. Does that make sense for your setup?
Given iam:PassRole is a permission-only IAM action, it might also be that the root user account doesn't have it (it's not something I've ever tried to do).
You will likely have to assume a role in the Cognito role's account, so that you can make changes to it.
I'll check that out. I shohuldn't have two accounts so I'm not even sure why that should be!
관련 콘텐츠
AWS 공식업데이트됨 2년 전- AWS 공식업데이트됨 일 년 전
