AWS Glue AccessDeniedException Account <ID> is denied access - amazon-web-services

I am getting this message when I try to create a crawler on AWS Glue:
{"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"RequestIDNumber","errorMessage":"Account <AccountID> is denied access.","type":"AwsServiceError"}
already attached all those policies below to the IAM
All my Policies here
Already setup permissions to the AWS lake formation for the role too
Already created a custom policy kms to it too
And I am stucked, I cannot create a crawler!
I am in the root account, actually there`s no other account just the root, It's a super new account I created in AWS so I don't know what to do to be able to create this simple crawler
My ideia its to use it with dynamodb as data source
The message says there is something wrong with my account permission not with a role
Someone has an idea?
Thank you so much

Not sure the reason, but loads of people have been having this issue. You can submit a ticket through AWS account support. I actually submitted two, including one through the unpaid support version and one through my paid account. They answered both tickets.
Basically, just tell them you need access to Glue and they should alter whatever it is to give you access. Sorry it's not a better answer, but I found no other useful information anywhere.

I propose to try using a separate user and attaching the policy you created to it.

Related

Access Denied When Create AWS Glue Crawler

I am trying to create a crawler in AWS Glue, but it gives error: {"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"<requestId>","errorMessage":"Account <accountId> is denied access.","type":"AwsServiceError"}.
This is what I've done so far:
Create a database in AWS Glue
Add tables in the database using a crawler
Name the crawler
Choose Amazon S3 as the data store and specified a path to a csv file inside a bucket in my account
Choose an existing IAM role I've created before
Choose a database I've created before
Press finish.
When I press finish, the above error is occurred.
I have grant AdministratorAccess both to IAM user and role used to create the crawler, so I assume there is no lack of permission issues. The bucket used is not encrypted and located in the same region as the AWS Glue.
I also have tried to create another database and specified a path to a different csv file but it is not solved the problem.
Any help would be very appreciated. Thanks.
I have contacted the owner (the root user) of this account and the owner asked for help to AWS Premium Support. The AWS Premium Support told us that all the required permissions to create AWS Glue Crawler are already provided and there is no SCPs attached to the account. After waiting around 7-working-day, finally I can create AWS Glue Crawler without any errors.
Unfortunately, I don't have any further information on how the AWS Premium Support solve the issue. For those of you who encounter similar errors like me, just try to contact the owner of the account, because most likely the issue is out of your control. Hope this helps in the future. Thanks.

AWS Workspaces - Unable to provide Console Access to IAM user

I want an IAM user to have read/List access and start/stop access to AWS workspaces. Hence I've created a simple IAM policy which grants all read and list actions.
but this was not enough. I was displayed with an error message An Error Has Occurred There was an error retrieving information about your WorkSpaces. Upon investigating cloudtrail, I found that the user need read/list permissions to KMS and AWSDirectory Service. Hence granted that too but when I login again, I still see the same error. Even tried attaching EC2 full access too but still the same error. Is this a potential bug?
The same issue has been discussed in AWS forum too but no resolution there.
https://forums.aws.amazon.com/thread.jspa?threadID=236408
KMS policy and Directory service policy below.
DS:
KMS:
Error Screenshot:
I've found the solution for this. AWS has bizarre limitation where if you want to access workspaces via console, then you need to give full access (workspaces:*) only. Below is a screenshot from the document that states this. Highly disappointed with AWS regarding this limitation.
https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html
Have you tried a policy similar to the one in the documentation. It includes some services in addition to the once you have tried already.

Problem on creating access tokens for IAMUSER via aws educate account

I want to use aws s3 on my laravel project , for this i created a bucket on s3 and also created IAMUSER and give it "S3FullAccess" permission but it create user with some error, access_key not created...
I use my vocareum account credentails (found on Account details button) but laravel gives an error "Invalid access token".
please help...
e
On AWS Educate Starter Account you can't create access keys for IAM users. From their docs:
You can create users, but cannot associate login profile or access keys for them
The AWS Educate accounts have a lot of limitations and they just barely allow to do what you need to do in your classrooms.
It appears that the user you are logging into AWS as is not an administrator user, or certainly lacks some administration permissions.
I'm not familiar with Vocareum but it seems to be some sort of learning management system - I presume you are using an AWS account that they control, which would explain the lack of privileges. If that is the case, and it is their AWS account that you are accessing, then you will need to raise a support case with them.
If this is your account, and you created this user, then you need to log into the account as the root user you created when you configured your AWS account and use it to create an access key for this current user.

AWS Permissions no longer work after consolidated billing

So we have this aws account with some permissions and it was working fine at first. We were able to deploy to aws using serverless framework. But then the client decided to setup an organization since they have other aws accounts also and to consolidate the billing under 1 account, they added the account they gave us to the organization. Now the problem is when we deployed using serverless again, serverless can no longer see the deployment bucket with an access denied error. But when the account was removed from the organization, serverless is able to locate the bucket. Is there some addition permissions or changes to the permissions that needs to be done when an account is linked to an organization? Can someone explain to me cause I can't seem to find any example of my scenario in a google search. I am new to AWS and this is the first time I experience organzations in AWS.
The only implication to permissions from joining an OU (organization unit) would be via the Service Contol Policy (SCP). Verify that the SCP attached to the organization does not block the actions you are attempting to execute.
We would love to get more information if possible, but I would maybe start looking in the following places in your consolidated account:
Trusted access for AWS services - https://console.aws.amazon.com/organizations/home?#/organization/settings
https://console.aws.amazon.com/organizations/home?#/policies
See if anything was changed there, if someone added a policy, or if the AWS Resource Access Manager is disabled.

AWS Educate - Launch EC2 instance authorization issue

I am working on my school project and seeing permission issues using AWS Educate for students.
I am unable to launch EC2 instance (Spot instance). Read through the documentation about changing roles and policies to grant permission but it says my user is unauthorized to. Neither is it permitting to create a role - No permissions to change anything in IAM.
Also, since it's student access AWS doesn't provide support to raise a Case Request with them. I understand this is a redundant question but I tried the solutions provided but in vain due to student access limitations. To ask administrator to add permissions it just redirects me to documentation.
Help much appreciated!
I am under the impression that spot instances are not available through AWS Educate. You would need to use a regular account which is what you did apparently.
The problem is this: The IAM user does not have permissions to do what you want. If you are the administrator, then you can assign (add) permissions to the user's attached policy. If you are not the administrator then you will need to contact that person for help.