New deal!

Join 90,000+ creators to write, schedule and publish on Twitter • Sign up for free → typefully.com

Get in Touch

Updated:

Solved: (forbiddenexception) when calling the getrolecredentials operation in AWS SSO

Danny Steenman

The error An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access likely happens if you do the following:

  1. You have the incorrect sso_start_url in your AWS CLI profile config.
  2. If the sso_role_name has been changed or updated in your AWS CLI profile config or on your AWS account.

In order to fix the error in your AWS CLI, you need to verify if the profile configuration is still correct. You do that by checking the ~/.aws/config file and making sure the following SSO attributes are present in the profile:

[profile example-account-sso]
sso_start_url=https://d-342987543pr.awsapps.com/start
sso_region=eu-west-1
sso_account_id=123456789012
sso_role_name=AdministratorAccess
region=eu-west-1

Login to the AWS Console via the root user or an IAM user that has permission to access the AWS account.

Next, visit the IAM Identity Center settings (formerly known as AWS Single Sign-On (SSO)) in the AWS Console and verify if the AWS access portal URL matches the sso_start_url in your aws profile config:

IAM Identity Center settings in the AWS Console

The last thing you could verify is if the permission set of the SSO user matches with the sso_role_name in your aws profile config.

This can be verified by going to the multi-account permissions section in IAM Identity Center in the AWS Console and checking the Permission sets of the corresponding user that use to sign in the the SSO portal.

IAM Identity Center account permission settings in the AWS Console

Once you have validated and adjusted the profile in your ~/.aws/config file then you can proceed to login and authenticate again via the terminal using the command:

aws sso login --profile <profile_name>

If you need guidance on setting up AWS SSO correctly on your local machine and use it with the AWS CLI effectively then I would recommend you to read this guide I wrote.

Want to join us? Join for tips, strategies, and resources that I use in my solo cloud agency to build well-architected, resilient, and cost-optimized AWS solutions on AWS.

Join 1k+ AWS Cloud enthusiasts
Loved by engineers worldwide
, , ,

Related posts

Danny Steenman

A Senior AWS Cloud Engineer with over 9 years of experience migrating workloads from on-premises to AWS Cloud.

I have helped companies of all sizes shape their cloud adoption strategies, optimizing operational efficiency, reducing costs, and improving organizational agility.

Connect with me today to discuss your cloud aspirations, and let’s work together to transform your business by leveraging the power of AWS Cloud.

I need help with..
stacked cubes
Improving or managing my CDK App.Maximize the potential of your AWS CDK app by leveraging the expertise of a seasoned CDK professional.
Reducing AWS Costs.We can start by doing a thorough assessment of your current AWS infrastructure, identifying areas with potential for cost reduction and efficiency improvement.
Verifying if my infrastructure is reliable and efficient.We’ve created a comprehensive AWS Operations Checklist that you can utilize to quickly verify if your AWS Resources are set up reliably and efficiently.