You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deploying a spoke DataOps project fails on the monitor-cr-project-membership
resource (AWS::DataZone::ProjectMembership) with CreateProjectMembership ... User is not permitted to perform operation
(AccessDenied, HTTP 403).
Note
The same configuration deployed successfully ~2 weeks ago (late May 2026) on
MDAA 1.5.0. It now fails, and the relevant MDAA code is unchanged in between
(see Notes) — so this may be an AWS SMUS / DataZone service-side behavior
change rather than an MDAA defect. Filing here so MDAA can track and adapt to
the new service behavior.
Deployment log (excerpt)
CREATE_FAILED | AWS::DataZone::ProjectMembership | constructsagemaker...membership399EEAD8
Resource handler returned message: "User is not permitted to perform operation:
CreateProjectMembership (Service: DataZone, Status Code: 403, Request ID:
6886c7c7-6798-400c-a617-c742d244a1d8) (SDK Attempt Count: 1)"
(RequestToken: 1f6c988a-7713-735a-d17a-26dae207bb52, HandlerErrorCode: AccessDenied)
❌ failed: DeploymentError: Resource updates failed:
└─
└─ construct
└─ sagemaker
└─ project-dataops
└─ monitor-cr-project-membership
(AWS::DataZone::ProjectMembership
constructsagemakerprojectdataopsmonitorcrprojectmembership399EEAD8)
🛑 Resource handler returned message: "User is not permitted to perform
operation: CreateProjectMembership (Service: DataZone, Status Code: 403,
Request ID: 6886c7c7-6798-400c-a617-c742d244a1d8) (SDK Attempt Count: 1)"
(RequestToken: 1f6c988a-7713-735a-d17a-26dae207bb52,
HandlerErrorCode: AccessDenied)
Environment
DataZone / SageMaker Unified Studio domain: V2, identity mode IAM Identity Center (SSO), userAssignment: MANUAL.
Previously working: MDAA 1.5.0 (~2 weeks ago). Now failing.
What we observed
The project is created by the CDK cfn-exec role, which is auto-added as
the project owner at creation. That role remains a valid member.
Adding any additional IAM role (e.g. the project's custom-resource role)
as a member now fails — for bothPROJECT_OWNER and PROJECT_CONTRIBUTOR.
The additional role's DataZone user profile is in ASSIGNED status
(the creating cfn-exec role's profile is ACTIVATED), and it cannot be moved ASSIGNED -> ACTIVATED via update-user-profile
(ValidationException: invalid status update).
MDAA's check_user_profiles Lambda ("UserProfileManager" custom resource)
only calls get_user_profile — it does not create or activate the profile —
and the spoke stack contains no native AWS::DataZone::UserProfile resource.
Impact
In a MANUAL/IdC domain, the project deploy can no longer add its
custom-resource role (or other IAM roles) to the project, so the deploy fails at
the membership step every time.
Expected / requested
Confirm whether SMUS / DataZone changed the rules for adding IAM-role members
to projects (esp. members whose user profile is in ASSIGNED status).
Update MDAA to follow the current SMUS behavior — e.g. ensure additional
IAM-role members have an ACTIVATED user profile before creating the
membership, rather than only checking that the profile exists.
Notes
project.ts (the membership step) and the check_user_profiles Lambda are unchanged between MDAA v1.5.0 and v1.6.0, which points away from an MDAA
code regression and toward a service-side change in the ~2-week window.
Summary
Deploying a spoke DataOps project fails on the
monitor-cr-project-membershipresource (
AWS::DataZone::ProjectMembership) withCreateProjectMembership ... User is not permitted to perform operation(AccessDenied, HTTP 403).
Note
The same configuration deployed successfully ~2 weeks ago (late May 2026) on
MDAA 1.5.0. It now fails, and the relevant MDAA code is unchanged in between
(see Notes) — so this may be an AWS SMUS / DataZone service-side behavior
change rather than an MDAA defect. Filing here so MDAA can track and adapt to
the new service behavior.
Deployment log (excerpt)
CREATE_FAILED | AWS::DataZone::ProjectMembership | constructsagemaker...membership399EEAD8
Resource handler returned message: "User is not permitted to perform operation:
CreateProjectMembership (Service: DataZone, Status Code: 403, Request ID:
6886c7c7-6798-400c-a617-c742d244a1d8) (SDK Attempt Count: 1)"
(RequestToken: 1f6c988a-7713-735a-d17a-26dae207bb52, HandlerErrorCode: AccessDenied)
❌ failed: DeploymentError: Resource updates failed:
└─
└─ construct
└─ sagemaker
└─ project-dataops
└─ monitor-cr-project-membership
(AWS::DataZone::ProjectMembership
constructsagemakerprojectdataopsmonitorcrprojectmembership399EEAD8)
🛑 Resource handler returned message: "User is not permitted to perform
operation: CreateProjectMembership (Service: DataZone, Status Code: 403,
Request ID: 6886c7c7-6798-400c-a617-c742d244a1d8) (SDK Attempt Count: 1)"
(RequestToken: 1f6c988a-7713-735a-d17a-26dae207bb52,
HandlerErrorCode: AccessDenied)
Environment
IAM Identity Center (SSO),
userAssignment: MANUAL.What we observed
the project owner at creation. That role remains a valid member.
as a member now fails — for both
PROJECT_OWNERandPROJECT_CONTRIBUTOR.ASSIGNEDstatus(the creating cfn-exec role's profile is
ACTIVATED), and it cannot be movedASSIGNED -> ACTIVATEDviaupdate-user-profile(
ValidationException: invalid status update).check_user_profilesLambda ("UserProfileManager" custom resource)only calls
get_user_profile— it does not create or activate the profile —and the spoke stack contains no native
AWS::DataZone::UserProfileresource.Impact
In a
MANUAL/IdC domain, the project deploy can no longer add itscustom-resource role (or other IAM roles) to the project, so the deploy fails at
the membership step every time.
Expected / requested
to projects (esp. members whose user profile is in
ASSIGNEDstatus).IAM-role members have an
ACTIVATEDuser profile before creating themembership, rather than only checking that the profile exists.
Notes
project.ts(the membership step) and thecheck_user_profilesLambda areunchanged between MDAA v1.5.0 and v1.6.0, which points away from an MDAA
code regression and toward a service-side change in the ~2-week window.