By using AWS re:Post, you agree to the Terms of Use

Why can't (multiple) user managed policies be added to an SSO Permission Set?


We are being asked to move to AWS SSO as a compliance issue, however I am running into some limitations with the creation of Permission Sets.

Why is there no option to add multiple (or any) user managed policies?

AWS managed policies do not provide the secure, granular permissions required for a robust setup, yet the only other option is to add a single, json, inline policy (i.e. I can't even refer to the ARN of one user managed policy for this).

Our infrastructure is defined in Terraform and, as an example, we currently have an IAM role that has 2 user managed policies attached (the policies are necessarily defined in separate repos and cannot be combined whilst retaining their granularity).

With IAM Roles I can attach both of these policies, but not with Permission Sets, even though a Permission Set will create an IAM Role when it’s attached to an account.

Is there a security based reason for this, or is the SSO simply limited?

  • To clarify, I have tried in Terraform to do things like add a user managed policy instead of an AWS one, in case it was a limitation of the console that I could get around, however nothing has worked. I have managed to now merge the two user managed policies using the source/ override options in Terraform when bringing in the policy as a data source. I would still like to know however if there is a reason for the limitations in SSO.

1 Answer

Hey - In July, AWS added support for Customer Managed Policies to IAM Identity Center (formerly AWS SSO).

HashiCorp have now added support for this: Resource: aws_ssoadmin_customer_managed_policy_attachment.

profile picture
answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions