too many roles in AWS resulting in SAML error?

Liam Hoekenga liamr at
Tue Feb 18 10:20:16 EST 2020

One of the members of our cloud services team is in groups that grants 270+
roles in AWS.
He has access if he is in <= 272 groups.

Once he hits 273, when he tries to access the AWS web console, AWS throws
up an error message stating that the SAML response from our IDP is
invalid.  He can, however, continue to obtain credentials using awscli-login

Our IDP isn't throwing any errors.  The SAML response we're sending to them
looks fine to me.

He said he's spoken to an architect at AWS who says there is no limit to
the number of roles we can assert.

Anyone run into this before?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list