Can't use AWS SSO Role

Question

Can't use AWS SSO Role

Closed this issue a year ago · 4 comments

Hello!
First of all, thank you very much for this amazing project.

I am trying to use, but I'm not sure how to use AWS SSO to assume the role.

If I use some role outside of SSO, it works, but the users will need to assume the role using the aws-cli, so it won't work from the console.

Am I missing something?

If I use some role of AWS SSO, I got this error:

{"function":"handleReqApproval","level":"error","line":"362","msg":"Error building policy. Err: operation error IAM: PutRolePolicy, https response error StatusCode: 400, RequestID: c9b21dae-eb26-4e56-a4c7-381a48891903, UnmodifiableEntity: Cannot perform the operation on the protected role 'AWSReservedSSO_AccessToS3Buckets_bee43ec6fa2ef651' - this role is only modifiable by AWS","time":"2023-05-16T16:28:05Z"}

The role that I'm assuming using the bot, is allowed to modify roles.

Maybe I'm just using it in the wrong way.

I would appreciate any help! Thank you very much!

Answer 1 · 2023-05-17T06:30:11.000Z

It looks like you’re using AWS IAM identity center (formerly AWS SSO). You can’t edit roles created by identity center as they are managed by AWS. They can only be modified via the permission sets you create through identity center.

This project was originally built to work with IAM’s SAML federation feature (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html#CreatingSAML-configuring) rather than SSO/identity center. I’m sure it could be adapted to work with identity center, but users would have to assume another role to use their temporary privileges as the bot won’t be able to attach inline policies to the AWS managed ones

Answer 2 · 2023-05-17T12:58:46.000Z

Yes, @gilesrapkin, that's the problem! I will need to modify a little bit my workflow, then, but surely this project will help! I appreciated the help, and sorry for getting confused btw IAM's SAML and SSO, but that's it! Thank you very much! Closing this issue.

Answer 3 · 2024-04-03T04:55:04.000Z

@erickfaustino did you ever figure out how to use this with AWS IAM Identify Center?

Answer 4 · 2024-04-03T08:23:54.000Z

Currently the code does support this, Using AWS SSO wouldn't be massive changes to the codes logic to support this.