Many aws sso-admin commands failing with 403

856 views Asked by At

Even though I have full AWS access and able to create stuff within AWS SSO Console, following CLI command fails:

aws sso-admin create-account-assignment 
--instance-arn="arn:aws:sso:::instance/ssoins-xxx" 
--target-id="xyz" 
--target-type="AWS_ACCOUNT" 
--permission-set-arn="arn:aws:sso:::permissionSet/ssoins-xxx/ps-qwe" 
--principal-type="GROUP" 
--principal-id="99672ae6a4-5d62c75e-a849-43a5-bd11-87b2f0c6fdf4"

For FailureReason when describing the request I'm getting:

Received a 403 status error: User: arn:aws:iam::xyz:user/ivan.aracki.com is not authorized to perform: sso:CreateAccountAssignment on resource: arn:aws:sso:::account/xyz with an explicit deny

2

There are 2 answers

0
Ivan Aracki On BEST ANSWER

It seems in our case this was happening because my User was part of ForceMFA group which was denying this request. For some reason it is not denying ec2, s3 or other API calls. Probably sso-admin API is configured differently.

Solution was to follow this authenticate-mfa-cli AWS guide and exporting variables returned in this call:

aws sts get-session-token 
--serial-number arn-of-the-mfa-device 
--token-code code-from-token
0
6be709c0 On

In my case I had the same error but I had to specify the region:

aws sso-admin create-account-assignment \
  --instance-arn "$SSO_INSTANCE_ARN" \
  --target-id "$AWS_INFRA_ACCOUNT_ID" \
  --target-type "AWS_ACCOUNT" \
  --principal-type "GROUP" \
  --principal-id "$SSO_GROUP_ID" \
  --permission-set-arn "$SSO_PERMISSION_SET_ADMIN_ARN" \
  --region eu-west-3 \
  --no-cli-pager