【以下的问题经过翻译处理】 我在通过Identity Center(SSO)为用户访问AWS控制台方面遇到了问题。我通过Identity Center页面将特定用户分配到该账户。当用户登录SSO门户时,他们可以看到该账户,但是当他们点击他们的权限集(网络管理员)的“管理控制台”链接时,他们会收到一个错误,指出他们没有访问权限/403。
我检查了Cloudtrail日志,发现请求ID返回一个“Forbidden”错误。
我在Identity Center设置中漏掉了什么吗?
这是来自CloudTrail的错误:
{
"eventVersion": "1.08",
"userIdentity": {
"type": "Unknown",
"principalId": "example.com//S-1-5-21-XXX-XXX-XXX-XXX",
"accountId": "111111111111",
"userName": "user1@example.com"
},
"eventTime": "1969-12-10T11: 18: 05Z",
"eventSource": "sso.amazonaws.com",
"eventName": "Federate",
"awsRegion": "us-east-1",
"sourceIPAddress": "111.111.111.111",
"errorCode": "403",
"errorMessage": "Forbidden",
"requestParameters": null,
"responseElements": null,
"requestID": "1630XXXX-XXX-XXXX-XXXX-XXXXXXXX",
"eventID": "XXXXX-2359-XXXX-8ebe-XXXXX",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111111111111",
"serviceEventDetails": {
"role_name": "NetworkAdministrator",
"account_id": 222222222222"
},
"eventCategory": "Management"
}