Getting AccessDeniedException from Lambda function when calling AWS SSO Permission set

Question

Following is my Python code to add/update an inline policy for an AWS SSO permission set:

# In actual code adding escape characters 
Inline_Policy=" 
   "Version": "2012-10-17",
   "Statement": [
        {
          "Action": [
                     "s3:Get*",  
                      "s3:List*"
            ],
    "Effect": "Allow",
    "Resource": "*"
   }
] "

response = client.put_inline_policy_to_permission_set(
InstanceArn='arn:aws:sso:::instance/ssoins-sssss',
PermissionSetArn='arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss',
InlinePolicy=Inline_Policy) 

I am getting the error:

"errorMessage": "An error occurred (AccessDeniedException) when calling the PutInlinePolicyToPermissionSet operation: User: arn:aws:sts::ddddddd:assumed-role/Modify_Permission_Set-role-ssss/Modify_Permission_Set is not authorized to perform: sso:PutInlinePolicyToPermissionSet on resource: arn:aws:sso:::permissionSet/ssoins-sssss/ps-sssss"

I tried adding the Admin policy for the Lambda role executing the function and I still get permission denied.

Is there a different way to handle SSO permission sets than regular IAM permissions?

Admin Policy attached to Lambda

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Answer 1

It is likely due to your region if you have ensured that the policy and permissions are correct.

Make sure you are defining the sso client to the region where your SSO or Identity Center is activated

e.g. for Python sso = boto3.client('sso-admin', region_name='deployed_sso_region')

Answer 2

Have you checked if there is a Service Control Policy (SCP) denying access to SSO which applies to your account or Organizational Unit (OU) please? https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html