Many aws sso-admin commands failing with 403

Question

Even though I have full AWS access and able to create stuff within AWS SSO Console, following CLI command fails:

aws sso-admin create-account-assignment 
--instance-arn="arn:aws:sso:::instance/ssoins-xxx" 
--target-id="xyz" 
--target-type="AWS_ACCOUNT" 
--permission-set-arn="arn:aws:sso:::permissionSet/ssoins-xxx/ps-qwe" 
--principal-type="GROUP" 
--principal-id="99672ae6a4-5d62c75e-a849-43a5-bd11-87b2f0c6fdf4"

For FailureReason when describing the request I'm getting:

Received a 403 status error: User: arn:aws:iam::xyz:user/ivan.aracki.com is not authorized to perform: sso:CreateAccountAssignment on resource: arn:aws:sso:::account/xyz with an explicit deny

Answer 1

It seems in our case this was happening because my User was part of ForceMFA group which was denying this request. For some reason it is not denying ec2, s3 or other API calls. Probably sso-admin API is configured differently.

Solution was to follow this authenticate-mfa-cli AWS guide and exporting variables returned in this call:

aws sts get-session-token 
--serial-number arn-of-the-mfa-device 
--token-code code-from-token

Answer 2

In my case I had the same error but I had to specify the region:

aws sso-admin create-account-assignment \
  --instance-arn "$SSO_INSTANCE_ARN" \
  --target-id "$AWS_INFRA_ACCOUNT_ID" \
  --target-type "AWS_ACCOUNT" \
  --principal-type "GROUP" \
  --principal-id "$SSO_GROUP_ID" \
  --permission-set-arn "$SSO_PERMISSION_SET_ADMIN_ARN" \
  --region eu-west-3 \
  --no-cli-pager