- Newest
- Most votes
- Most comments
The AWSReservedSSO_* roles are protected inside individual AWS accounts, and can only be modified by updating the Permission Set in AWS Single Sign On (which will then propagate it out to the accounts). You can find some guidance around Permission Sets in the SSO documentation. You will need to log in to your Management Account to access AWS SSO (assuming you have not already taken advantage of the recent launch to support delegation for SSO).
If that isn't possible for you, then you may be able to achieve it by (as you started) creating a new Role which has the required permissions, and then allowing the AWSReservedSSO_Developer-permission-set Role to assume it (if it is allowed to!). The user would then log in to the AWS account using the AWSReservedSSO_Developer-permission-set role as normal, and then Switch Role to the one you created in order to perform SNS operations as needed. Note that when they switch role, the permissions of the role they assume replace (temporarily) the permissions from the original role, so you will need to include any other permissions they need in the 2nd role. See the docs for how to assume a role in the Console, or with the CLI.
Relevant content
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thank you, I managed to add the SNS policy from the SSO permissions from the management account and it seems to have accepted the policy now. Thanks for your response!
How can i modify the trust policy on such roles? I cannot see any trust policy in permission set.