I'm trying to trust a customer's AWS Identity Center IAM role from my AWS account, but I'm running into an error. The error message I'm getting is: 'Invalid principal in policy: "AWS":"arn:aws:iam::xxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_xxxxxxxxx"'. I have configured my role policy as follows:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_xxxxxxxx"
},
"Action": [
"sts:TagSession",
"sts:AssumeRole"
]
}
]
}
```
It seems to work fine when I test it internally, but it fails when I attempt to use it with this customer. What could be causing the issue? They've confirmed that the role ARN is correct.
2 Answers
Have you tried removing the 'aws-reserved/sso.amazonaws.com' part from the ARN? This can sometimes resolve issues with invalid principals in trust policies.
It sounds like there might be a misunderstanding about using an Identity Center deployed role in a trust policy. I'm not certain why this shouldn't work, but make sure the customer’s role actually has permissions to assume yours. Also, check the region where the customer's Identity Center is deployed—sometimes you need to specify the region in the source role ARN. That could be part of the problem!
Related Questions
How To Get Your Domain Unblocked From Facebook
How To Find A String In a Directory of Files Using Linux