From 517a9c3ca7edf25db5a1b7efedbfefc9e3565bfa Mon Sep 17 00:00:00 2001 From: "c1-dev-bot[bot]" <2740113+c1-dev-bot[bot]@users.noreply.github.com> Date: Fri, 17 Jul 2026 13:18:21 +0000 Subject: [PATCH] Add missing SSO permission-set read permissions to AWS connector IAM policy Add sso:GetInlinePolicyForPermissionSet and sso:ListManagedPoliciesInPermissionSet to both IAM policy blocks (JSON and Terraform). These read-only actions are required when Identity Center is enabled to sync permission set policy composition, and their absence causes AccessDenied failures on sync. --- baton/aws.mdx | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/baton/aws.mdx b/baton/aws.mdx index f00bf9cf..ae6c9d5f 100644 --- a/baton/aws.mdx +++ b/baton/aws.mdx @@ -346,8 +346,10 @@ The permissions policy below is broken into several sections to align with these "identitystore:ListUsers", "organizations:ListAccounts", "sso:DescribePermissionSet", + "sso:GetInlinePolicyForPermissionSet", "sso:ListAccountAssignments", "sso:ListInstances", + "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount", "iam:GetUser", @@ -731,8 +733,10 @@ resource "aws_iam_role" "ConductorOneIntegration" { "identitystore:ListUsers", "organizations:ListAccounts", "sso:DescribePermissionSet", + "sso:GetInlinePolicyForPermissionSet", "sso:ListAccountAssignments", "sso:ListInstances", + "sso:ListManagedPoliciesInPermissionSet", "sso:ListPermissionSets", "sso:ListPermissionSetsProvisionedToAccount" ],