AWS SSO cannot attach a permission set in an AWS account using Delegated Administrator account and how to solve it

Last Updated on September 30, 2022

If you have assigned an AWS Single Sign-On (SSO) Delegated Administrator Account you might have noticed that there are permission sets that you cannot assign to your accounts.

The reason for this is that if you are in the Delegated Administrator Account, you cannot assign any Permission Set that you already have assigned to the Management Account.

By the way, AWS SSO is now called AWS IAM Identity Center. I’m still calling it AWS SSO since it’s shorter and I’m used to it.

You can login to the Management Account and AWS SSO will allow you to attach the Permission Set to the member AWS account but this is not recommended.

The reason for this is that the Management Account should have the highest security when it comes to your AWS Organization since it manages your whole AWS infrastructure.

To solve this, login to the Delegated Administrator Account and then just create a new Permission Set. Make sure that the new Permission Set is not attached to the Management Account and you will be able to attach it to member accounts.

We hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *