An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access likely happens if you do the following:
- You have the incorrect
sso_start_urlin your AWS CLI profile config.
- If the
sso_role_namehas been changed or updated in your AWS CLI profile config or on your AWS account.
In order to fix the error in your AWS CLI, you need to verify if the profile configuration is still correct. You do that by checking the
~/.aws/config file and making sure the following SSO attributes are present in the profile:
[profile example-account-sso] sso_start_url=https://d-342987543pr.awsapps.com/start sso_region=eu-west-1 sso_account_id=123456789012 sso_role_name=AdministratorAccess region=eu-west-1
Login to the AWS Console via the root user or an IAM user that has permission to access the AWS account.
Next, visit the IAM Identity Center settings (formerly known as AWS Single Sign-On (SSO)) in the AWS Console and verify if the AWS access portal URL matches the
sso_start_url in your aws profile config:
The last thing you could verify is if the permission set of the SSO user matches with the
sso_role_name in your aws profile config.
This can be verified by going to the multi-account permissions section in IAM Identity Center in the AWS Console and checking the Permission sets of the corresponding user that use to sign in the the SSO portal.
Once you have validated and adjusted the profile in your
~/.aws/config file then you can proceed to login and authenticate again via the terminal using the command:
aws sso login --profile <profile_name>
If you need guidance on setting up AWS SSO correctly on your local machine and use it with the AWS CLI effectively then I would recommend you to read this guide I wrote.