- Newest
- Most votes
- Most comments
Hello,
I've tried to replicate the issue you're experiencing, but it appears there may be some mistakes in permissions or misconfigurations. Below, I've outlined the steps I followed:
Step 1: Set Up Permissions in the Management Account
Create an IAM Policy for Listing Tags: Navigate to IAM in the management account. Create a new policy (ListTagsPolicy) with permissions to list tags for the Identity Center instance: json Kopijuoti kodą { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sso:ListTagsForResource", "Resource": "*" } ] } Save the policy. Create an IAM Role for Cross-Account Access: Still in IAM, create a new role (CrossAccountAccessRole). Establish trust with the member account by adding the member account as a trusted entity: json Kopijuoti kodą { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::member-account-id:root" }, "Action": "sts:AssumeRole" } ] } Attach the ListTagsPolicy created earlier to this role. Note the ARN of the created role (e.g., arn:aws:iam::management-account-id:role/CrossAccountAccessRole). Step 2: Assume Role in Member Account
Configure AWS CLI or SDK:
In the member account, configure your AWS CLI or SDK to use credentials that have permissions to assume roles. Ensure you have the role ARN from the management account. Assume Role Using AWS CLI:
Use the following command to assume the role. Replace placeholders with actual values: bash Kopijuoti kodą aws sts assume-role --role-arn "arn:aws:iam::management-account-id:role/CrossAccountAccessRole" --role-session-name "AccessInstanceTags" This command returns security credentials (Access Key ID, Secret Access Key, and Session Token). Configure Session Using Returned Credentials:
Configure your CLI session to use the returned credentials: bash Kopijuoti kodą export AWS_ACCESS_KEY_ID="ReturnedAccessKeyId" export AWS_SECRET_ACCESS_KEY="ReturnedSecretAccessKey" export AWS_SESSION_TOKEN="ReturnedSessionToken" Step 3: Access Tags from Member Account
List Tags for Identity Center Instance: Using the assumed role's session, run the following command to list the tags: bash Kopijuoti kodą aws sso-admin list-tags-for-resource --resource-arn "arn:aws:sso:::instance/ssoins-456" --region us-west-2 If permissions and configurations are correct, this will list the tags of the Identity Center instance.
Relevant content
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago