以下是我的Python代码,用于添加/更新AWS SSO权限集的内联策略:
# In actual code adding escape characters
Inline_Policy="
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
] "
response = client.put_inline_policy_to_permission_set(
InstanceArn='arn:aws:sso:::instance/ssoins-sssss',
PermissionSetArn='arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss',
InlinePolicy=Inline_Policy)
我得到错误:
"errorMessage":"调用PutInlinePolicyToPermissionSet操作时发生错误(AccessDeniedException(:用户:arn:aws:sts::ddddd:假定的角色/Modify_Permission_Set-role-ssss/Modify_Permmission_Set未被授权对资源执行:sso:PutInlinePolicyToPermissionSet:arn:aws::permissionSet/soin-ssssss/ps-sssssss">
我尝试为执行该函数的Lambda角色添加Admin策略,但权限仍然被拒绝。
是否有与常规IAM权限不同的方法来处理SSO权限集?
Lambda 附带的管理政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
您是否已检查是否存在适用于您的帐户或组织单位(OU(的拒绝访问SSO的服务控制策略(SCP(?https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
如果您已确保策略和权限是正确的,则可能是由于您所在的地区。
确保您将sso客户端定义为激活sso或Identity Center的区域
例如,对于Pythonsso = boto3.client('sso-admin', region_name='deployed_sso_region')