Here's how IAM evaluates policies containing “Deny” and “Allow” statements:

Default Deny: By default, access to AWS resources is denied. If there are no policies attached to a user, group, or role, or if no policies explicitly grant access, AWS denies the action.

“Allow” Statements: IAM evaluates all the “Allow” statements in the policies attached to the user, group, or role. If any “Allow” statement allows the action, the action is permitted, subject to any further restrictions from subsequent “Deny” statements.

“Deny” Statements: IAM then evaluates all the “Deny” statements in the policies. If any “Deny” statement explicitly denies the action, the action is denied, regardless of any previous “Allow” statements.

To SSO into accounts with limited permissions use

In the “IAM Identity Center”: https://console.aws.amazon.com/singlesignon/home

As described here: https://aws.amazon.com/iam/identity-center/

This is how the management of the organization looks like.

I have striked through the entry URL which is used to SSO into the organization.

The URL looks like

https://myssoportal.awsapps.com/start

where you can pick the “myssoportal” freely.

When the setup is done
then trigger login from console
will allow you to get credentials for the console via SSO
or for the programmatic access

SSO from the command line like this:

$ aws sso login --profile default

Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.eu-central-1.amazonaws.com/

Then enter the code:

ABCD-CPZB

Dont forget to log out:

$ aws sso logout

As in https://medium.com/@pushkarjoshi0410/how-to-set-up-aws-cli-with-aws-single-sign-on-sso-acf4dd88e056

To make the terraform work - you need a profile without “sso_session = mysso”

as stated in https://www.reddit.com/r/aws/comments/zk456d/new_aws_cli_and_sso_sessions_profiles_and_legacy/

Leave “SSO session name” empty!!

$ aws configure sso --profile default

SSO session name (Recommended):
WARNING: Configuring using legacy format (e.g. without an SSO session).
Consider re-running "configure sso" command and providing a session name.

SSO start URL [None]: https://myssoportal.awsapps.com/start
SSO region [None]: eu-central-1
Attempting to automatically open the SSO authorization page in your default browser.
If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

https://device.sso.us-east-1.amazonaws.com/

Then enter the code:

XXXX-XXXX

<select role>
Using the role name "HappyLegacyUser"
CLI default client Region [None]: <default region>
CLI default output format [None]: <default output>

To use this profile, specify the profile name using --profile, as shown:

aws s3 ls --profile default

Associated

~/.aws/config

[default]
region = eu-central-1
sso_start_url = https://********.awsapps.com/start
sso_region = eu-central-1
sso_account_id = 36********63
output = json
sso_session = mysso
sso_role_name = Admin-NoIAM-NoBilling