Even though I have full AWS access and able to create stuff within AWS SSO Console, following CLI command fails:
aws sso-admin create-account-assignment
--instance-arn="arn:aws:sso:::instance/ssoins-xxx"
--target-id="xyz"
--target-type="AWS_ACCOUNT"
--permission-set-arn="arn:aws:sso:::permissionSet/ssoins-xxx/ps-qwe"
--principal-type="GROUP"
--principal-id="99672ae6a4-5d62c75e-a849-43a5-bd11-87b2f0c6fdf4"
For FailureReason
when describing the request I'm getting:
Received a 403 status error: User: arn:aws:iam::xyz:user/ivan.aracki.com is not authorized to perform: sso:CreateAccountAssignment on resource: arn:aws:sso:::account/xyz with an explicit deny
It seems in our case this was happening because my User was part of
ForceMFA
group which was denying this request. For some reason it is not denying ec2, s3 or other API calls. Probably sso-admin API is configured differently.Solution was to follow this authenticate-mfa-cli AWS guide and exporting variables returned in this call: