Why can't the root user change MFA rules on a rule?
I'm in a cognito user pool configuration, and I tried to change the MFA requirement on the pool to allow TOTP. It gave me this error:
[AccessDeniedException] Failed to update MFA configuration for us-east-1_FLnPt9UKE requestId: 0660fb15-2cc4-4f63-9c8f-657b71b320d9 time: Sat May 21 2022 16:16:18 GMT-0400 (Eastern Daylight Time) code: AccessDeniedException message: User: arn:aws:iam::384426254369:root is not authorized to perform: iam:PassRole on resource: > arn:aws:iam::745623467555:role/cognito_sms_role because no resource-based policy allows the iam:PassRole > action
I'm confused because I am logged into the console as the root user, which should have permission to EVERYTHING. I do not, however, really have a role named "cognito_sms_role." Is that the problem? If so, how do I fix it?
- Newest
- Most votes
- Most comments
The AWS account numbers are different in the two resources: 384426254369 for the root account user, and 745623467555 on the role. This means that your root user doesn't have permissions to change the role, since it's outside the account. Does that make sense for your setup?
Given iam:PassRole is a permission-only IAM action, it might also be that the root user account doesn't have it (it's not something I've ever tried to do).
You will likely have to assume a role in the Cognito role's account, so that you can make changes to it.
I'll check that out. I shohuldn't have two accounts so I'm not even sure why that should be!
Relevant content
- asked 2 years ago
- asked 7 months ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
