Summary
CreateLakeFormationIdentityCenterConfiguration fails with AccessDeniedException when the AWS IAM Identity Center (IdC) instance lives in a different AWS account than the data platform (typical in Control Tower / AWS Organizations deployments).
Affected Component
packages/constructs/L3/governance/lakeformation-settings-l3-construct/lib/lakeformation-settings-l3-construct.ts
Error
AccessDeniedException: User: arn:aws:sts::<account>:assumed-role/<lambda-role>/<lambda-role> is not authorized to perform: sso:PutApplicationAssignmentConfiguration on resource: arn:aws:sso::*:application/<sso-instance-id>/* because no identity-based policy allows the sso:PutApplicationAssignmentConfiguration action (Service: SsoAdmin, Status Code: 400)
The error is surfaced as a CloudFormation custom resource failure, causing the lakeformation-settings stack to roll back with ROLLBACK_COMPLETE.
Root Cause
The Lambda execution role's IAM policy scopes sso:PutApplicationAssignmentConfiguration to the SSO application ARN using the CDK this.account token:
// BEFORE (broken)
arn:${this.partition}:sso::${this.account}:application/${this.props.iamIdentityCenter.instanceId}/*
this.account resolves to the data platform account (the account where the CDK stack is deployed). However, AWS IAM Identity Center is an organisation-level service. When LakeFormation internally calls sso:PutApplicationAssignmentConfiguration during
CreateLakeFormationIdentityCenterConfiguration, the SSO application ARN carries the IdC management account (the AWS Control Tower management account or the delegated SSO admin account), not the data platform account.
IAM evaluates the policy against the actual resource ARN and denies the call because the account segments do not match.
Proposed Fix
Replace ${this.account} with * in the resource ARN:
// AFTER (fixed)
arn:${this.partition}:sso::*:application/${this.props.iamIdentityCenter.instanceId}/*
The wildcard covers both same-account and cross-account IdC deployments. The action scope is still constrained to the specific SSO instance ID, so the policy remains appropriately scoped.
File: packages/constructs/L3/governance/lakeformation-settings-l3-construct/lib/lakeformation-settings-l3-construct.ts
Line: resource ARN inside manageSsoAppPolicyStatement in createIdcConfig()
Impact
- Severity: Blocker —
lakeformation-settings stack cannot be created in any Control Tower
or AWS Organizations environment where the IdC instance lives outside the data platform account.
- Introduced: v1.5.0 (
iamIdentityCenter feature)
- Scope: Any deployment with
iamIdentityCenter configured in lakeformation-settings.yaml
Verification
After applying the fix, re-synthesize and redeploy the lakeformation-settings module.
The IAM policy on the Lambda execution role should show:
"Resource": [
"arn:aws:sso:::instance/<sso-instance-id>",
"arn:aws:sso::*:application/<sso-instance-id>/*",
"arn:aws:sso::aws:applicationProvider/*"
]
CreateLakeFormationIdentityCenterConfiguration should succeed and the stack should reach CREATE_COMPLETE.
Summary
CreateLakeFormationIdentityCenterConfigurationfails withAccessDeniedExceptionwhen the AWS IAM Identity Center (IdC) instance lives in a different AWS account than the data platform (typical in Control Tower / AWS Organizations deployments).Affected Component
packages/constructs/L3/governance/lakeformation-settings-l3-construct/lib/lakeformation-settings-l3-construct.tsError
The error is surfaced as a CloudFormation custom resource failure, causing the
lakeformation-settingsstack to roll back withROLLBACK_COMPLETE.Root Cause
The Lambda execution role's IAM policy scopes
sso:PutApplicationAssignmentConfigurationto the SSO application ARN using the CDKthis.accounttoken:this.accountresolves to the data platform account (the account where the CDK stack is deployed). However, AWS IAM Identity Center is an organisation-level service. When LakeFormation internally callssso:PutApplicationAssignmentConfigurationduringCreateLakeFormationIdentityCenterConfiguration, the SSO application ARN carries the IdC management account (the AWS Control Tower management account or the delegated SSO admin account), not the data platform account.IAM evaluates the policy against the actual resource ARN and denies the call because the account segments do not match.
Proposed Fix
Replace
${this.account}with*in the resource ARN:The wildcard covers both same-account and cross-account IdC deployments. The action scope is still constrained to the specific SSO instance ID, so the policy remains appropriately scoped.
File:
packages/constructs/L3/governance/lakeformation-settings-l3-construct/lib/lakeformation-settings-l3-construct.tsLine: resource ARN inside
manageSsoAppPolicyStatementincreateIdcConfig()Impact
lakeformation-settingsstack cannot be created in any Control Toweror AWS Organizations environment where the IdC instance lives outside the data platform account.
iamIdentityCenterfeature)iamIdentityCenterconfigured inlakeformation-settings.yamlVerification
After applying the fix, re-synthesize and redeploy the
lakeformation-settingsmodule.The IAM policy on the Lambda execution role should show:
CreateLakeFormationIdentityCenterConfigurationshould succeed and the stack should reachCREATE_COMPLETE.