Closed logicata-jon closed 7 months ago
If you need to attach a customer managed policy to a permissionset, this permission is required, but is absent from the role created by deploying this type:
"handlers": { "create": { "permissions": [ "sso:CreateAccountAssignment", "sso:DescribeAccountAssignmentCreationStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider", "iam:CreateRole" ] }, "read": { "permissions": [ ] }, "update": { "permissions": [ "sso:CreateAccountAssignment", "sso:DescribeAccountAssignmentCreationStatus", "sso:DeleteAccountAssignment", "sso:DescribeAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider", "iam:CreateRole" ] }, "delete": { "permissions": [ "sso:DeleteAccountAssignment", "sso:DescribeAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider" ] } }
Should be updated to:
"handlers": { "create": { "permissions": [ "sso:CreateAccountAssignment", "sso:DescribeAccountAssignmentCreationStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider", "iam:CreateRole", "iam:ListRolePolicies" ] }, "read": { "permissions": [ ] }, "update": { "permissions": [ "sso:CreateAccountAssignment", "sso:DescribeAccountAssignmentCreationStatus", "sso:DeleteAccountAssignment", "sso:DescribeAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider", "iam:CreateRole", "iam:ListRolePolicies" ] }, "delete": { "permissions": [ "sso:DeleteAccountAssignment", "sso:DescribeAccountAssignmentDeletionStatus", "sso:ListAccountAssignments", "iam:GetSAMLProvider" ] } }
Just adding that if I get a chance I might try to take this edit on myself, as it looks pretty simple
If you need to attach a customer managed policy to a permissionset, this permission is required, but is absent from the role created by deploying this type:
Should be updated to: