Viewing Core Account resources as a Member Account Developer

[ASTRobinson]

Expected Behavior

users should be able to follow these steps to view resources on core accounts https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/member-read-only-core-accounts.html

Actual Behavior

users are receiving an "Invalid information in or more fields" error message:

Looking in Coud Trail I can see the below error when reproducing the problem.

"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::<AccountNo>:assumed-role/AWSReservedSSO_ModernisationPlatformEngineer_23ce22cc18f42559/astrobinson@digital.justice.gov.uk is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<AccountNo>:role/member-delegation-read-only",

Steps to Reproduce the Problem

https://user-guide.modernisation-platform.service.justice.gov.uk/user-guide/member-read-only-core-accounts.html

Version

No response

Modules

No response

Account

No response

[Khatraf]

I’m getting the same error as above when using the ModernisationPlatformEngineer role: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::accctnr:assumed-role/AWSReservedSSO_ModernisationPlatformEngineer_48ed82a2691108de/khatraf@digital.justice.gov.uk is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::acctNr:role/member-delegation-read-only

But using the developer role:

"arn": "arn:aws:sts::acctNr:assumed-role/AWSReservedSSO_modernisation-platform-developer_4a5d6c8df1c51683/khatraf@digital.justice.gov.uk" I’m able to switch role successfully, tested this in both sprinkler and equip. 


So, using the developer role it should be possible to switch roles due to these permissions which the ModernisationPlatformEngineer role doesn’t have.