Community::SSO::AssignmentGroup needs iam:ListRolePolicies permission

[logicata-jon]

If you need to attach a customer managed policy to a permissionset, this permission is required, but is absent from the role created by deploying this type:

 "handlers": {
        "create": {
            "permissions": [
                "sso:CreateAccountAssignment",
                "sso:DescribeAccountAssignmentCreationStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider",
                "iam:CreateRole"
            ]
        },
        "read": {
            "permissions": [
            ]
        },
        "update": {
            "permissions": [
                "sso:CreateAccountAssignment",
                "sso:DescribeAccountAssignmentCreationStatus",
                "sso:DeleteAccountAssignment",
                "sso:DescribeAccountAssignmentDeletionStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider",
                "iam:CreateRole"
            ]
        },
        "delete": {
            "permissions": [
                "sso:DeleteAccountAssignment",
                "sso:DescribeAccountAssignmentDeletionStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider"
            ]
        }
}

Should be updated to:

 "handlers": {
        "create": {
            "permissions": [
                "sso:CreateAccountAssignment",
                "sso:DescribeAccountAssignmentCreationStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider",
                "iam:CreateRole",
                "iam:ListRolePolicies"
            ]
        },
        "read": {
            "permissions": [
            ]
        },
        "update": {
            "permissions": [
                "sso:CreateAccountAssignment",
                "sso:DescribeAccountAssignmentCreationStatus",
                "sso:DeleteAccountAssignment",
                "sso:DescribeAccountAssignmentDeletionStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider",
                "iam:CreateRole",
                "iam:ListRolePolicies"
            ]
        },
        "delete": {
            "permissions": [
                "sso:DeleteAccountAssignment",
                "sso:DescribeAccountAssignmentDeletionStatus",
                "sso:ListAccountAssignments",
                "iam:GetSAMLProvider"
            ]
        }
}

[logicata-jon]

Just adding that if I get a chance I might try to take this edit on myself, as it looks pretty simple