- Newest
- Most votes
- Most comments
Hello.
Is the IAM policy you are trying to use a customer managed policy?
In that case, you will not be able to configure the permission set unless the AWS account you are trying to link the permission set to has the same IAM policy.
In other words, the possible cause of the error is that the AWS account to which you are trying to associate the permission set does not have the same IAM policy.
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocmp.html
Before you assign your permission set with IAM policies, you must prepare your member account. The name of an IAM policy in your member account must be a case-sensitive match to name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account.
The permissions that the policy grants don't have to be an exact match between accounts.
Hi Riku,
Thank you for your answer, but the policy does exist in the member account. It is a customer managed policy. We get a 404 error with the ARN for the policy in the member account, but if we duplicate the exact policy JSON and attached new one it works. However, this is not a viable solution for us because we manager our policies through Terraform. Any thoughts?
Thanks,
Hey there Tom,
I just ran into this issue with an account. Duplicating the policy does fix the issue because with ours they were inline policies to start out with. So if you go to search the policy it doesnt exist under policies. Even though you can look up the group and see the policy attached. (though it is indicated it is inline) Once I recreated it as an actual policy. I was able to use it in IAM Identity Center.
We ran into this same problem today. Duplicating the policy fixed it, but I did find our particular root cause -- the policies we were attempting to use were not in the / (root) policy path. They were something like /env/main/s3-policy. And the duplicates were in / (root) which is why they worked. All we had to do is enter the full path name of the policies (eg /env/main/s3-policy) when creating our Permission Sets and it worked fine.
Relevant content
- Accepted Answerasked 7 months ago
- asked a year ago
- asked 2 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago