botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
Related
Up until now I have been able to run aws sts assume-role --role-arn arn:aws:iam::<accountID>:role/<iam_role> --role-session-name <a_session_name> --profile <the_profile_name> without a hitch...
Now I'm getting an error An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<accountID>:assumed-role/<iam_role>/botocore-session-xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountId>:role/<iam_role>
Is this due to me being in an assumed role state and then attempting to assume the same role again? If that is the case then whats the solution for clearing out the botocore cache?
I have cleared the ~/.aws/cache directory
I have been successful assuming this role until today, no security credentials have been removed from my AWS account
I've killed and restated iTerm session
executing aws sts get-caller-identity --profile picklerick nets me the same results: both arn: and userId have the same botocore-session-xxxxx attached
these question are not dupes of this question:
Access denied when assuming role as IAM user via boto3
AWS cli: not authorized to perform: sts:AssumeRole on resource
python boto3 error: Not authorized to perform assumed role on resource
if any of this makes sense to you then you might also be able to explain what caused this in the first place - i've had no issues up until this, never cared or saw mention of boto
I need to access a DynamoDB in AWS on my computer, where I have set up my credentials in AWS CLI. ALthough my provided user has the appropriate access authorization I get this error message, always when I have to get an Item from my database-table:
User: arn:aws:iam::[user-number]:user/[username] is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-1:[user-number]:table/data_table_1 with an explicit deny
As already said, this user is authorized by the administrator to perform this request.
Maybe I am overseeing something or it has to do sth. with this "explicit deny".
I appreciate your help. Thanks
**For the Policies MFA must be present. So maybe I have to authorize myself with MFA device? How do I do that (if I am correct) via the AWS CLI?
I started to work with AWS SageMaker. I have an AWS Starter Account. I have been trying to deploy a built-in algorithm for 2 days but I always get AccessDeniedException despite the fact that I created IAM role according to https://aws.amazon.com/tr/getting-started/tutorials/build-train-deploy-machine-learning-model-sagemaker/
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::161745376217:assumed-role/AmazonSageMaker-ExecutionRole-20200203T194557/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:161745376217:training-job/blazingtext-2020-02-03-18-12-14-017 with an explicit deny
Could you help me to solve this problem ?
Thank you so much
You have created a role for SageMaker to access S3 bucket, but it seems your IAM user doesn't have access to SageMaker service. Please make sure your IAM user has permission to SageMaker.
This error usually occurs, if you have an AWS Educate account. It restricts you to take full control of the Sagemaker service. In this case, I'd recommend you to access AWS using regular AWS account.
I have permissions to create lambda functions, as well as RDS instances. I am able to use these tools via the AWS console without issue. However, each of the following commands fail:
$ aws lambda list-functions
An error occurred (AccessDeniedException) when calling the ListFunctions
operation: User: arn:aws:iam::<IAM ID>:user/<username> is not
authorized to perform: lambda:ListFunctions on resource: * with an explicit deny
$ aws rds describe-db-instances
An error occurred (AccessDenied) when calling the DescribeDBInstances
operation: User: arn:aws:iam::<IAM ID>:user/<username> is not
authorized to perform: rds:DescribeDBInstances with an explicit deny
Are there separate permissions that are needed for CLI access?
#Michael-sqlbot helped me realize that I was not using MFA on the CLI, which is what caused the error. I followed the instructions listed on Using Temporary Security Credentials to Request Access to AWS Resources - AWS Identity and Access Management to solve my problem.
I am using AWS Educate Starter account but their user account policy don't allow to have Iam GetRole. So I am having this kind off errors in both Serverless framework and Zappa -
An error occurred: IamRoleLambdaExecution - API: iam:GetRole
User: arn:aws:iam::XXXXXXXXXXX:user/awsstudent is not authorized to perform:
iam:GetRole on resource: role hello-world-dev-us-west-2-lambdaRole.
Is there any way to get the job done without this authorization. I know that my access key has the full access to AWS lamda, S3, Api Gateway etc.
The issue is you seem to be locked out of IAM. No amount of permission on Lambda/S3/API Gateway is going to get you to where you need to go.