When I open the customer managed keys in region eu-central-1, I can see one key, but I get the following error message:
DescribeKey request failed AccessDeniedException - User:
arn:aws:iam::<MY_ACCOUNT>:user/admin is not authorized to perform:
kms:DescribeKey on resource:
arn:aws:kms:eu-central-1:<MY_ACCOUNT>:key/<MY_KEY_ID>
because no resource-based policy allows the kms:DescribeKey action
This happens, even though I try as root or admin user who does have the permission DescribeKey.
Even using AWS CLI, I cannot do anything about this key.
This leads to the strange situation that I can see the key, but I cannot do anything about it, not even deleting it or getting any details about it. And I also cannot see how I can modify the resource-based policy of that key.
Any help is appreciated!
Okay, I actually found a solution. I tried to log in the name of all of my users and one of the users was actually the one having all permissions according to the resource based policy and could delete it.
Still, a bit surprising to me that root user wasn't able to do so, but I am happy to have solved it.
Related
I'm trying to setup my aws cli. I downloaded it and everything worked.
Now I wanted to log in from my powershell script.
Set-AWSCredentials –AccessKey key-name –SecretKey key-name
Because I don't have any users at the moment I had to create one. I have given the user admin rights.
When creating the user aws throws this error:
User: arn:aws:sts::37197122623409:assumed-role/voclabs/user2135080=.... is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::371237422423709:user/.... because no identity-based policy allows the iam:CreateUser action
My first thought was that my education account is having a problem. But I didn't find anything about it. Thanks for your help in advance.
The "voclab" part of the error suggests you are not logged as the account root user but instead assuming a role in an account used for teaching purposes.
This role is probably designed to disallow IAM actions, in order to prevent privilege escalation.
Read
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html to get role credentials for the role you're assuming
You can't make any IAM roles, policies or users as a student using voclabs account. AWS Academy does not allow to do that and its a hard limit which you nor your educator can change.
I've got an issue where a Cognito-authenticated user seems to have the correct permissions to interact with SSM, but all calls to SSM are being rejected. Here's what my policy looks like:
Cognito Role
Of course in a production environment we won't have open permissions like that and certainly won't have the Administrator policy attached, but this was to test as well as make the point that we really can't authenticate here.
I should add that we can access our dynamodb resources using tha policy with no issues, it's just SSM giving us trouble. We're getting error messages similar to this:
AccessDeniedException: User: arn:aws:sts::ACCOUNTID:assumed-role/COGNITOROLE is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:ACCOUNTID:parameter/
where I've replaced the account number and role name. Does anyone know what I'm doing wrong? Thanks a ton in advance.
I recently enabled default ebs encryption as mentioned here: https://aws.amazon.com/blogs/aws/new-opt-in-to-default-encryption-for-new-ebs-volumes/. Afterwards, when attempting to launch a beanstalk instance, I get a generic 'ClientError' and the instance immediately terminates. If I disabled default encryption it works fine.
Does anyone know what changes are required to get beanstalk to work with a customer managed encryption key? I suspected it was a permissions issue so I temporarily gave the beanstalk roles full admin access but that did not solve the issue. Is there something else I am missing?
I saw this related question but it was before default EBS encryption was released and I was hoping to avoid having to copy and encrypt the AMI manually...
If you are using a custom CMK, you have to update the key policy and assign permissions explicitly. For EBS encryption, a principal usually requires the following permissions:
kms:CreateGrant
kms:Encrypt
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey
The best way to troubleshoot key permission issues is to check the Cloudtrail event history. Filter the events by event source and check if there is any "access denied" error.
Filter: Event source: kms.amazonaws.com
You can see which action is denied here and adjust the key policy accordingly. "User name" field in the event gives you a hint to determine the ARN of the principal to use in the policy.
In your case, it is very likely that one of the service-linked roles requires permissions to access the KMS key. There is a good explanation for key permissions here for auto-scaling service-linked role.
I want to give the AWS DeepRacer competition a try but It's not properly setting up my "Account resources" and I have no idea why.
This is what it's telling me:
These are the red errors:
Error in IAM role creation
Please try again after deleting the following roles: AWSDeepRacerServiceRole, AWSDeepRacerSageMakerAccessRole, AWSDeepRacerRoboMakerAccessRole, AWSDeepRacerLambdaAccessRole, AWSDeepRacerCloudFormationAccessRole.
There is an issue with your IAM roles
Unable to create all IAM roles
I have tried resetting the resources as it's telling me to do so.
But it still doesn't work afterwards. When I go to my IAM roles theres none of the described above. I have checked my account and everything else seems to be working fine. I checked and I can also manually create S3 buckets and IAM roles.
It's not giving me clear instructions on whats wrong or what I should do besides the ones on the image above so I'm not sure how to proceed!
Go to IAM -> Roles and delete following roles:
AWSDeepRacerServiceRole
AWSDeepRacerSageMakerAccessRole
AWSDeepRacerRoboMakerAccessRole
AWSDeepRacerLambdaAccessRole
AWSDeepRacerCloudFormationAccessRole
Then try resetting Account Resources again
I am getting following error, when I try to access IAM dashboard on aws.
User: arn:aws:iam::9490xxxxxxxx:user/xyz is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::9490xsxxxxxxx:user/
The fact is that, I have IAMFullPermission policy attached to my account, as shown below :-
I don't know, still what permissions I need to provide.
Thanks in advance.
As Rajesh commented, logging into the console and opening the policy simulator will allow you to select your user, and the iam:ListUsers permission and simulate the evaluation to find the exact reason for the failure.
https://policysim.aws.amazon.com/home/index.jsp?#users
That screenshot of attached policies will give that user/role access to iam:ListUsers from multiple built in AWS polcies, and that error message suggests that the user does not have permission (i.e. a missing allow policy rather than an explicit deny).
When determining the cause of IAM errors I try the following:
Does the response appear cached? (Making changes to allow an action and then immediately attempting again does not always work. You can test this with the CLI by calling an API that will be not allowed. The first call will be slightly slower than subsequent calls. IAM changes can also take time to propagate).
What does the policy simulator say? (especially useful when considering more complicated policies with conditions like MFA required or MFA age)
The Policy Simulator will narrow down scenarios like:
User does not actually have that policy attached
User is part of a group that has an explicit deny policy (doesn't look to be the case here)
Other conditions are not satisfied that are not immediately apparent. E.g. MFA required or resource restrictions to only allow access to manage own user details.