IAM

Here's how IAM evaluates policies containing “Deny” and “Allow” statements:

Default Deny: By default, access to AWS resources is denied. If there are no policies attached to a user, group, or role, or if no policies explicitly grant access, AWS denies the action.

“Allow” Statements: IAM evaluates all the “Allow” statements in the policies attached to the user, group, or role. If any “Allow” statement allows the action, the action is permitted, subject to any further restrictions from subsequent “Deny” statements.

“Deny” Statements: IAM then evaluates all the “Deny” statements in the policies. If any “Deny” statement explicitly denies the action, the action is denied, regardless of any previous “Allow” statements.

To SSO into accounts with limited permissions use

In the “IAM Identity Center”: https://console.aws.amazon.com/singlesignon/home

As described here: https://aws.amazon.com/iam/identity-center/

This is how the management of the organization looks like.

I have striked through the entry URL which is used to SSO into the organization.

The URL looks like

https://myssoportal.awsapps.com/start

where you can pick the “myssoportal” freely.

When the setup is done
then trigger login from console
will allow you to get credentials for the console via SSO
or for the programmatic access

SSO from the command line like this:

$ aws sso login --profile default

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-central-1.amazonaws.com/

Then enter the code:

ABCD-CPZB

After the login with your global user (which you manage in your IAM identity center https://aws.amazon.com/iam/identity-center/)
you will be redirected to the SSO page

From where you can approve the request:

Dont forget to log out:

$ aws sso logout

To SSO into the AWS console - your also can navigate directly to
and pick one of the available role to SSO into the AWS management console.

As in https://medium.com/@pushkarjoshi0410/how-to-set-up-aws-cli-with-aws-single-sign-on-sso-acf4dd88e056

To make the terraform work - you need a profile without “sso_session = mysso”

as stated in https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/

Leave “SSO session name” empty!!

$ aws configure sso --profile default

SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.

SSO start URL [None]: https://myssoportal.awsapps.com/start
SSO region [None]: eu-central-1
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX

<select role>
Using the role name "HappyLegacyUser"
CLI default client Region [None]: <default region>
CLI default output format [None]: <default output>

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile default

Associated

~/.aws/config

[default]
region = eu-central-1
sso_start_url = https://********.awsapps.com/start
sso_region = eu-central-1
sso_account_id = 36********63
output = json
sso_role_name = Admin-NoIAM-NoBilling

Newly defined permission sets remain in the “not provisioned” state.

To become available anywhere - they must be explicitly assigned to an account.

Only then the permission sets become “provisioned”