error when assigning permission sets to user group

Question

i got this error when trying to give permission sets to usegroup to be able access to my other account in the same organization.

*Assign group "group1" to AWS account "account1" with permission set "ec2-full-read-n-editlaunch"*

*AWS SSO is unable to complete your request at this time. Obtaining permissions to manage your AWS account 'accountidnumber' is taking longer than usual. Please try again in a few minutes. If this problem continues, contact AWS Support.*

the other account already has "OrganizationAccountAccessRole" includes trust policies to my management account.

Stefano Cortese · Answer

Hello,

I have encountered the same error as well and I solved it in this way:
- My IAM Identity Center is located in the Milan region 
- The AWS Account in the AWS Organization didn't have the Milan region enabled
- I enabled the Milan region for the AWS Organization account
- I tried to assign the permissions again and then it worked.

Best,
Stefano

Andrii · Answer

Hello.

A few things:
Ensure the IAM role or user you are using to assign the permission sets has adequate permissions to perform the operation. Make sure it has sso:InstanceAccessControlAttributeConfiguration, sso:PermissionSet, and sso:ManagedPolicy permissions.

Confirm that the trust relationships are set up correctly, and "OrganizationAccountAccessRole" is able to assume the necessary roles across accounts. Cross-account access necessitates that the trusting account (the account being accessed) has a trust policy that allows the accessing (trusted) account to assume a role.

Regards, Andrii

error when assigning permission sets to user group

Add your answer

Relevant content