The role I am assuming has the arn:aws:iam::aws:policy/SecurityAudit policy attached which includes the necessary permissions
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*"
On Resource *. And yet I still get An error occurred (AccessDenied) when calling the GenerateServiceLastAccessedDetails operation: User: <assumed_role> is not authorized to perform the operation on <role_arn>. Is it a bug in AWS?
I found that this occurs when the arn in the request is invalid. The error message is a bug, it is an invalid input, not an access denied issue.
Related
botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
I've launched an ec2 instance using Ansible and successfully ssh'd into it using the playbook, I've also added 'AmazonS3FullAccess' IAM role to it, but when I'm trying to copy file from s3, I get an error:
"fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden"
This is the command I've used for copying the files:
aws s3 cp s3://bucket-name/folder-name/file-name file-name
Also when I manually enter into the instance and try to list all the s3 buckets available to the instance, I get this error:
An error occurred (InvalidAccessKeyId) when calling the ListBuckets operation: The AWS Access Key Id you provided does not exist in our records.
Appreciate all the help!
I'm getting following error while trying to create a new appliance in AWS.
FAILURE Create appliance task failed: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::account-id:user/<user> is not authorized to perform: iam:GetRole on resource: role genomics-virtual-lab-20-03-11t18-29-cm2-kube-role
It seems I need to add GetRole to may user in AWS console. But I am a newbie to AWS and can't do that. Can anyone please help me?
Regards,
try adding below permission.as admin permission should not be added.
iam:GetRole
iam:PassRole
Try adding another permission - AdministratorAccess - to your IAM user
When I try to login using federated login for AWS CLI, I get this error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRoleWithSAML operation: Not authorized to perform sts:AssumeRoleWithSAML
This prevents me from logging into AWS CLI, and I need that so I can access our CodeCommit repo.
How should I fix this error, do I need to specify the role explicitly?
It turned out I did need to specify the role explicitly, by its ARN.
aws_cli_login --role arn:aws:iam::28475767868:role/my-role
It worked after that. Probably when I didn't specify a role it tried some default role for which I didn't have access.
I'm trying to run the script setup_p2.sh for the fast.ai course. I keep getting this error:
An error occurred (UnauthorizedOperation) when calling the CreateVpc
operation: You are not authorized to perform this operation.
NOTE: setup_p2.sh was NOT available at the stated location, but I found it by cloning this repo: https://github.com/fastai/courses
I finally found the solution: Amazon changed the permissions screens when setting up the IAM (Identity Access Management) account. I solved it by creating a new security group with the "AdministratorAccess" permission, and adding that user to that group. Works now.