IAM user with AdministratorAccess permission set is unable to access VPCs or IAM

0

I enables IAM identity centre in the root account of my organisation and created a user with the AdministratorAccess permission set.

After using the Access portal to log in as that user I get the same "complete registration" modal view when trying to view the VPC or IAM resource.

Other resources like S3, DynamoDB etc. seem to be accessible.

I'm just testing a terraform deployment to provision and new VPC and I can neither view the VPC resource in the console or provision the resource via terraform.

The policy is the standard:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

What is causing this issue?

  • Can you explain what you're seeing on the VPC service page when you say " complete registration modal view"?

  • So I see the "complete sign up" modal with this text:

    "Thanks for signing up for Amazon Web Services. If we have directed you to this page, then you have not finished registering. Make sure you have done the following:

    Provided all required information during sign-up. This includes adding a payment method, completing identity verification, and selecting a support plan. Responded to any additional information we have requested by email. Check your spam and junk email folders to make sure you have not missed any such requests. Verified your credit card information. We might temporarily hold up to $1 USD (or an equivalent amount in local currency) as a pending transaction for 3-5 days to verify your identity. This is an authorization, and you might need to contact your card issuer to approve it. It might take up to 24 hours to fully activate your AWS services. If you can’t access your services after that time, contact support."

    However the root account has completed the registration and sign up and assigned a payment method.

    If I click the "Complete your AWS Registration" button at the bottom, I'm taken to the "successfully signed up page" and simply redirected to the management console.

2 Answers
0

Hello CPB,

Are you familiar with AWS Organizations and the Service Control Policies (SCPs) implemented within your account structure? It's possible that the restrictions you're experiencing could be related to the SCPs configured at the AWS Organization level.

For further clarification, I recommend reviewing the following resources:

profile picture
answered 11 days ago
  • So when I look in the root account the only SCP which is in the list is the FullAWSAccess policy, which is identical to the AdministratorAccess Policy. However this policy isn't attached to any entities as I'm provisioning the user via the IAM identity centre.

    In fact I'm not even able to access that policy when assigning a permission set to my user.

0

On the other hand, since this issue relates to an IAM Identity Center (IDC) SSO user, it could be due to improper provisioning or incomplete registration, including steps like MFA setup. For more insights, you can review this Repost discussion: Issue with SSO User Registration.

This post provides helpful information on troubleshooting SSO user registration issues.

profile picture
answered 11 days ago
  • The user is able to log in successfully via the access panel and via the CLI tool using aws configure sso so the issue isn't in the provisioning of the user. I might be misunderstanding but I wouldn't be able to log in or access the console if the account was not provisioned right?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions