By using AWS re:Post, you agree to the Terms of Use
/AWS SSO Required permission to run aws sts get-caller-identity/

AWS SSO Required permission to run aws sts get-caller-identity


For an AWS SSO user, when they run

`aws sts get-caller-identity`

the following error occurs

`An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access`

I can't find any reference as to what permission the user needs to execute this command.

The user has the following policy:


and this inline policy:

            "Sid": "sts",
            "Effect": "Allow",
            "Action": "sts:GetServiceBearerToken",
            "Resource": "*",
            "Condition": {
                "NumericEquals": {
                    "sts:DurationSeconds": 43200
                "StringEquals": {
                    "sts:AWSServiceName": ""
1 Answers

Are you using AWS SSO Permission Sets to assign IAM policies to your users? As you suggest you are applying an inline policy I would assume not (since inline policies only apply to IAM users)?

If you are using SSO Permission Sets, then the read only permission set AWSReadOnlyAccess which uses the AWS Managed Policy arn:aws:iam::aws:policy/job-function/ViewOnlyAccess does not specifically include STS:* as a permission. Therefore I would assume that it is being implicitly denied.

If you could clarify it would help greatly.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions