Errors attaching policies to the role
Hi, I am trying to attach a policy to a role. Specifically, I'm trying to attach SNS to a role and this is the error message I get.
"Policy AmazonSNSFullAccess not added. Cannot perform the operation on the protected role 'AWSReservedSSO_Developer-permission-set' - this role is only modifiable by AWS"
I also tried creating a new role and attaching that to the user's account but it didn't seem to give them access to SNS even though that was part of the policy.
I would prefer to be able to accomplish this as I have previously with other services by attaching the policy directly to the role.
Any help appreciated.
AWSReservedSSO_* roles are protected inside individual AWS accounts, and can only be modified by updating the Permission Set in AWS Single Sign On (which will then propagate it out to the accounts). You can find some guidance around Permission Sets in the SSO documentation. You will need to log in to your Management Account to access AWS SSO (assuming you have not already taken advantage of the recent launch to support delegation for SSO).
If that isn't possible for you, then you may be able to achieve it by (as you started) creating a new Role which has the required permissions, and then allowing the
AWSReservedSSO_Developer-permission-set Role to assume it (if it is allowed to!). The user would then log in to the AWS account using the
AWSReservedSSO_Developer-permission-set role as normal, and then Switch Role to the one you created in order to perform SNS operations as needed. Note that when they switch role, the permissions of the role they assume replace (temporarily) the permissions from the original role, so you will need to include any other permissions they need in the 2nd role. See the docs for how to assume a role in the Console, or with the CLI.
Thank you, I managed to add the SNS policy from the SSO permissions from the management account and it seems to have accepted the policy now. Thanks for your response!
how to set a proper policy for the role attached to a republish rule in IoTasked a year ago
Errors attaching policies to the roleAccepted Answerasked a month ago
Can CloudFormation add existing policy to existing role?Accepted AnswerMODERATORasked a year ago
Attach an existing policy to an existing role in CloudFormationAccepted AnswerEXPERTasked 2 years ago
Misleading AWS doc: can't create Policy for SAML's roleasked 3 years ago
Access bucket s3 from a role on another accountasked 9 months ago
Specify Individual Instance In Trust Policy Of IAM RoleAccepted Answerasked 2 months ago
API Gateway does not have permission to assume the provided roleasked 3 years ago
How to allow a role to attach role to an instance?asked a year ago
How to define IAM::Policy in SAM templateasked a year ago