The solution is this : add your sso role as IAM or Assumed Role with a wildcard to match all users in that role : AWSReservedSSO_myname_randomstring/* .

The caveat is that the approval rule is not re-evaluated after updating the rule , so you need to delete and recreate the pull request .