0

以下是我为 AWS SSO 权限集添加/更新内联策略的 Python 代码:

# In actual code adding escape characters 
Inline_Policy=" 
   "Version": "2012-10-17",
   "Statement": [
        {
          "Action": [
                     "s3:Get*",  
                      "s3:List*"
            ],
    "Effect": "Allow",
    "Resource": "*"
   }
] "

response = client.put_inline_policy_to_permission_set(
InstanceArn='arn:aws:sso:::instance/ssoins-sssss',
PermissionSetArn='arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss',
InlinePolicy=Inline_Policy)

我收到错误消息:

"errorMessage": "调用 PutInlinePolicyToPermissionSet 操作时发生错误 (AccessDeniedException):用户:arn:aws:sts::ddddddd:assumed-role/Modify_Permission_Set-role-ssss/Modify_Permission_Set 无权执行:sso:PutInlinePolicyToPermissionSet on resource : arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss"

我尝试为执行该函数的 Lambda 角色添加管理员策略,但仍然被拒绝权限。

是否有与常规 IAM 权限不同的方式来处理 SSO 权限集?

附加到 Lambda 的管理策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
4

1 回答 1

0

您是否检查过是否存在适用于您的帐户或组织单位 (OU) 的拒绝访问 SSO 的服务控制策略 (SCP)?https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

于 2021-12-07T10:58:13.873 回答