By using AWS re:Post, you agree to the Terms of Use
/Errors attaching policies to the role/

Errors attaching policies to the role

0

Hi, I am trying to attach a policy to a role. Specifically, I'm trying to attach SNS to a role and this is the error message I get.

"Policy AmazonSNSFullAccess not added. Cannot perform the operation on the protected role 'AWSReservedSSO_Developer-permission-set' - this role is only modifiable by AWS"

I also tried creating a new role and attaching that to the user's account but it didn't seem to give them access to SNS even though that was part of the policy.

I would prefer to be able to accomplish this as I have previously with other services by attaching the policy directly to the role.

Any help appreciated.

1 Answers
0
Accepted Answer

The AWSReservedSSO_* roles are protected inside individual AWS accounts, and can only be modified by updating the Permission Set in AWS Single Sign On (which will then propagate it out to the accounts). You can find some guidance around Permission Sets in the SSO documentation. You will need to log in to your Management Account to access AWS SSO (assuming you have not already taken advantage of the recent launch to support delegation for SSO).

If that isn't possible for you, then you may be able to achieve it by (as you started) creating a new Role which has the required permissions, and then allowing the AWSReservedSSO_Developer-permission-set Role to assume it (if it is allowed to!). The user would then log in to the AWS account using the AWSReservedSSO_Developer-permission-set role as normal, and then Switch Role to the one you created in order to perform SNS operations as needed. Note that when they switch role, the permissions of the role they assume replace (temporarily) the permissions from the original role, so you will need to include any other permissions they need in the 2nd role. See the docs for how to assume a role in the Console, or with the CLI.

EXPERT
answered a month ago
  • Thank you, I managed to add the SNS policy from the SSO permissions from the management account and it seems to have accepted the policy now. Thanks for your response!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions