You’ve just created a permission set in AWS IAM Identity Center. You assigned it to a user for a specific account. But when the user checks their Access Portal, the account doesn’t appear. Or worse—they can see the account, but when they try to assume the role, they get a permission denied error. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
A permission set was created in IAM Identity Center and assigned to a user for a specific account, but the account doesn’t appear in the user’s Access Portal, or the permission set isn’t listed when the user accesses the account.
The error you might see in CloudTrail:
User: arn:aws:iam::123456789012:user/sso-user
Error Code: AccessDenied
Error Message: User is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/aws-reserved/sso/permission-set-arn
Or in the Access Portal: no accounts visible despite assignment existing in the IAM Identity Center console.
| Symptom | Likely Cause |
|---|---|
| Permission set created but account missing from portal | Permission set not provisioned to target account |
| Assignment created but account doesn’t appear | Provisioning failed silently or in progress |
| User in wrong group or group not assigned | User is not in the assigned group |
| Region confusion | IAM Identity Center operates from home region only |
| Delay before accounts appear | Provisioning in progress (1-3 minutes typical) |
Why Does This Happen?
-
Permission set created but not provisioned: When you create a permission set and assign it to an account via a group or user assignment, the permission set must be explicitly provisioned to that account. Assignment alone doesn’t trigger provisioning.
-
Provisioning failures silently: If the target account has been removed from the organization or the account is in a suspended state, provisioning will fail without a clear error message in the console.
-
User not in the correct group: The permission set is assigned to a group, but the user is not a member of that group. SCIM provisioning must complete before the group membership becomes effective.
-
IAM Identity Center region mismatch: IAM Identity Center operates only from your designated home region. If you created assignments in a different region, they won’t take effect.
-
Provisioning still in progress: Permission set provisioning to an account can take 1-3 minutes. If you check immediately after creating an assignment, it may not appear yet.
The Fix
Navigate to IAM Identity Center > AWS accounts. Select the target account. Go to the Permission sets tab. Verify that the permission set is both assigned AND provisioned (these are two different states).
Use the CLI to verify provisioning status:
aws sso-admin list-permission-sets-provisioned-to-account \
--instance-arn arn:aws:sso:::instance/ssoins-7223a5d90eexample \
--account-id 123456789012 \
--region us-east-1
If the permission set is assigned but not in the provisioned list, manually provision it:
aws sso-admin provision-permission-set \
--instance-arn arn:aws:sso:::instance/ssoins-7223a5d90eexample \
--permission-set-arn arn:aws:iam::aws:permission-set/sso_ps/ssoins-7223a5d90eexample/ps-a1b2c3d4e5f6g7h8 \
--target-id 123456789012 \
--target-type AWS_ACCOUNT \
--region us-east-1
How to Run This
-
Get your IAM Identity Center instance ARN:
aws sso-admin list-instances --region us-east-1 -
List all permission sets and their ARNs:
aws sso-admin list-permission-sets --instance-arn arn:... --region us-east-1 -
Find the specific permission set ARN you need to provision
-
Run the
provision-permission-setcommand above with your values -
Wait 2-3 minutes for provisioning to complete
-
Verify:
aws sso-admin list-permission-sets-provisioned-to-account --instance-arn arn:... --account-id 123456789012 -
Ask the user to log out and back into their Access Portal to refresh the account list
Is This Safe?
Yes. Provisioning a permission set to an account is a standard operation and doesn’t modify any data or configurations in the target account. It only ensures that the SSO role is available for assumption.
Key Takeaway
Permission sets in AWS IAM Identity Center require two separate actions: assignment (linking the permission set to a user or group) and provisioning (making the permission set available in the target account). Always verify both states when troubleshooting access issues.
Have questions or ran into a different SSO issue? Connect with me on LinkedIn or X.