I'm not clear on this idea of restricting a specific call at the account level. Can you share some details/docs on how an AWS account would be configured this way? Also, for my clarification, are you saying that running something like this (changed to query against your user of course): aws iam simulate-principal-policy --action-names "tag:GetResources" --policy-source-arn "arn:aws:iam:::user/jdiaz-adminpolicy" shows that the action is allowed, but when you actually attempt to run a tag:GetResources you get a permission denial? aws resourcegroupstaggingapi get-resources --region us-east-1
Closing for now, let us know if more information is available, thanks!