By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SSO is unable to complete your request at this time - IAM

0

I'm trying to assign an IAM user to 2 new aws accounts for dev and production. For some reason this works if I open my IAM center on us-east-1 but when I try it on il-central-1 (Tel Aviv), I get these errors no matter how many times I try:

Assign user "emittedforsecurity" to AWS account "emittedforsecurity" with permission set "AdministratorAccess"

AWS SSO is unable to complete your request at this time. Obtaining permissions to manage your AWS account 'emittedforsecurity' is taking longer than usual. Please try again in a few minutes. If this problem continues, contact AWS Support.

Assign user "emittedforsecurity " to AWS account "emittedforsecurity" with permission set "AdministratorAccess"

AWS SSO is unable to complete your request at this time. Obtaining permissions to manage your AWS account 'emittedforsecurity' is taking longer than usual. Please try again in a few minutes. If this problem continues, contact AWS Support.

I've also tried this on another AWS account and the same errors pop up for il-central-1.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity Center
Language
English
Nir
asked 6 months ago157 views
1 Answer
1

Hello,

I understand that when you try to assign an IAM user to 2 new aws accounts for dev and production, you are able to assign IAM user in the US-East-1 region but not in the il-central-1 region in both accounts and you're getting the following error message:

++++

Assign user "emittedforsecurity" to AWS account "emittedforsecurity" with permission set "AdministratorAccess" AWS SSO is unable to complete your request at this time. Obtaining permissions to manage your AWS account 'emittedforsecurity' is taking longer than usual. Please try again in a few minutes. If this problem continues, contact AWS Support.

++++

There are a few things to review in order to ensure that you appropriately troubleshoot this:

  1. I do see that you mentioned that the dev and prod accounts are new. Please note that particularly for new accounts, there are regions that are not enabled by default . It appears that us-east-1 region is enabled by default on those accounts but ‘il-central-1’ region is not. Please follow the steps below to manage regions on your accounts

    • Login to your AWS Management console for the 2 new AWS accounts
    • Click on the drop-down on your existing region, if you’re currently defaulted to us-east-1 region, it will be listed as N. Virginia.
    • Once you click on the drop-down, you will see a list of regions enabled as well as the ones that are not enabled by default on the account.
    • If ‘il-central-1’ region is amongst the list of regions not enabled by default, you can enable it by scrolling all the way to the bottom of the regions that are not enabled by default and click on manage regions
    • Once you click on manage regions, it will take you to your account settings page, in the account setting page, scroll down to AWS Regions, you’ll see a lot of regions disabled on your account, click the checkbox next to ‘il'-central-1' Israel (Tel Aviv) region and click on enable
    • After you click on enable region, you will get a pop-up providing additional instructions on enabling a region. Please note that enabling a region is free, but users in your account might create or use resources that result in billing charges. You can use this AWS Region after AWS finished preparing it. For most accounts, preparation is completed in a few minutes. If needed, you can disable the region

Please review [ref1] for additional details on enabling or disabling regions on standalone accounts.

If the prod and dev accounts are member accounts of AWS Organizations, you can follow the steps below to enable or disable regions in those accounts:

* Login to the AWS Organizations console with your organization’s management credentials.
* On the AWS accounts page, select the prod and dev account that you want to update.
* Select the account settings tab, under regions select the regions you would like to enable. 
* Select Actions and then choose enable option from the actions. 
* Review the displayed  text and select enable region.

Please review [ref2] for additional details on how to enable regions. Please note that An organization can only have up to 20 region requests at a given time. Otherwise, you will receive a TooManyRequestsException. Once the region is enabled, you will be able to make appropriate AWS SSO(not IAM Identity Center) changes.

  1. If you’re assuming IAM role to perform the operation, it is possible that the IAM role may not have the necessary permissions in that region. Check that the trust policy allows the principal to assume the roles in Il-central-1 region. For more information please review [ref3] on how to delegate access across AWS accounts using IAM roles

  2. If the problem persists after 24 hours, create a support case with AWS explaining the issue. The support team may be able to help troubleshoot further. Please review [ref4] on how to reach out to AWS Support. ‘

References: ref1 - [https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-standalone]

ref2 - [https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-regions.html#manage-acct-regions-enable-organization]

ref3 - [https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html]

ref4 - [https://aws.amazon.com/contact-us/]

*** If the answer is helpful, please click "Accept Answer" and upvote it. ***

Kind regards,

Olu

AWS
Olu Ojo
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content