Hello ,

I have checked our internal resources , from our documentation it is evident that currently, when you add customer managed policies and permissions to a permission set, IAM Identity Center doesn't create a policy in any AWS accounts. You must instead create those policies in advance in each account where you want to assign your permission set, and match them to the name and path specifications of your permission set. When you assign a permission set to an AWS account in your Organization, IAM Identity Center creates an AWS Identity and Access Management (IAM) role and attaches your IAM policies to that role. https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocmp.html

As per the action resource policy document it doesn't support any condition keys [1] .

Note:

The name of an IAM policy in your member account must be a case-sensitive match to name of the policy in your management account. IAM Identity Center fails to assign the permission set if the policy doesn't exist in your member account. The permissions that the policy grants don't have to be an exact match between accounts.

Having said that, so when you try to attach the policy name to a different account that is not your management account is when this fails. At the moment IAM policies are not populating directly to the member accounts.

If you want to attach a custom policy to a permission set and then assign it to a specific member account. The account that you are trying to push the permission set needs to have the IAM policy created with the name you are using in the permission set.

Reference : [] Actions, resources, and condition keys for AWS IAM Identity Center (successor to AWS Single Sign-On) - https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html