I want an IAM user to have read/List access and start/stop access to AWS workspaces. Hence I've created a simple IAM policy which grants all read and list actions.
but this was not enough. I was displayed with an error message An Error Has Occurred There was an error retrieving information about your WorkSpaces. Upon investigating cloudtrail, I found that the user need read/list permissions to KMS and AWSDirectory Service. Hence granted that too but when I login again, I still see the same error. Even tried attaching EC2 full access too but still the same error. Is this a potential bug?
The same issue has been discussed in AWS forum too but no resolution there.
https://forums.aws.amazon.com/thread.jspa?threadID=236408
KMS policy and Directory service policy below.
DS:
KMS:
Error Screenshot:
I've found the solution for this. AWS has bizarre limitation where if you want to access workspaces via console, then you need to give full access (workspaces:*) only. Below is a screenshot from the document that states this. Highly disappointed with AWS regarding this limitation.
https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html
Have you tried a policy similar to the one in the documentation. It includes some services in addition to the once you have tried already.
Related
I am getting this message when I try to create a crawler on AWS Glue:
{"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"RequestIDNumber","errorMessage":"Account <AccountID> is denied access.","type":"AwsServiceError"}
already attached all those policies below to the IAM
All my Policies here
Already setup permissions to the AWS lake formation for the role too
Already created a custom policy kms to it too
And I am stucked, I cannot create a crawler!
I am in the root account, actually there`s no other account just the root, It's a super new account I created in AWS so I don't know what to do to be able to create this simple crawler
My ideia its to use it with dynamodb as data source
The message says there is something wrong with my account permission not with a role
Someone has an idea?
Thank you so much
Not sure the reason, but loads of people have been having this issue. You can submit a ticket through AWS account support. I actually submitted two, including one through the unpaid support version and one through my paid account. They answered both tickets.
Basically, just tell them you need access to Glue and they should alter whatever it is to give you access. Sorry it's not a better answer, but I found no other useful information anywhere.
I propose to try using a separate user and attaching the policy you created to it.
previously I had been able to deploy my lambda functions without any problems on my own AWS account. Now, I need to deploy them on to a different AWS account where my IAM user has an AdministratorAccess permission.
I've set up a role/policies for invoking lambdas the same way I did for my account. Before I deployed my code with terraform, I checked the console page for AWS lambda , and this error pops up.
Any idea why I still don't have enough permissions to access lambda even with my AdministratorAccess policy attached to my user?. Do I still need to add more policies to my user in order to access Lambda?
I have faced the same issue. You need to contact AWS to unlock your access as your account has been locked due to potentially dangerous activity.
I recommend you to enable MFA and use an IAM user to log in to AWS console instead of root user.
AdministratorAccess is definitely enough to view the Lambda console.
Do you have CLI access setup for this user? You could try running the list-functions CLI command to confirm that you user is setup as expected, as this uses the same API call that the web console is performing for you.
I have faced the same issue, after checking this post I checked my mailbox. AWS asked my to verify my account by sending utility bills picture and address information. I did it and everything is back to normal now.
I have an IAM role with AdministratorAccess, but when I upload a custom template to AWS CloudFormation, I get the following error:
Operation failed, ComputeEnvironment went INVALID with error:
CLIENT_ERROR - You are not authorized to call EC2 Describe operations.
It is required to perform CreateLaunchConfiguration operation.
All the other resources seem to complete successfully, so I'm not sure if there is some sort of role delegation taking place?
It is possible that you are affected by Service Control Policies (SCPs) or by Permission Boundaries or even other policy types.
Identity-based policies
Resource-based policies
Permissions boundaries
Organization SCPs
Access control lists
Session policies
Regarding SCPs:
An SCP restricts permissions for IAM users and roles in member
accounts, including the member account's root user. Any account has
only those permissions permitted by every parent above it. If a
permission is blocked at any level above the account, either
implicitly (by not being included in an Allow policy statement) or
explicitly (by being included in a Deny policy statement), a user or
role in the affected account can't use that permission, even if the
account administrator attaches the AdministratorAccess IAM policy with
/ permissions to the user.
Also see How to use service control policies to set permission guardrails across accounts in your AWS Organization
As this article states,
The member accounts of an AWS Organization are unable to see the SCPs
that have been applied to them. Further, when actions are denied,
there is no way to know whether that is due to an IAM policy, an SCP,
or something else (ex. session policy, IAM boundary, resource policy).
This means there will be no indication in the error message from an
API call or in the CloudTrail log to show what denied the call. This
can make debugging issues difficult.
This article has some useful diagrams that show the different things that could be affecting/limiting the access.
I've been working on this problem for four days and finally came up with a solution that I think resolves it.
There are two kinds of CDK bootstrap: legacy and modern. Legacy is the default.
There appears to be a bug in the legacy bootstrap that affects some accounts and not others. I was able to verify that the same code worked for me on one account but produced the exact symptoms of this problem on a newly created account.
If you are not stuck with legacy bootstrap for some reason, just convert over to modern bootstrap. That should make the error (and the reason for the error) go away.
The instructions are here: https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html
Basically, you have to set an environment variable before you call cdk bootstrap, and then you have to change either some code or some configuration in your project.
It is not intuitive that this feature exists in the CDK at all, nor that it would be the fix for this particular problem. However, it cleared it up for me. Maybe it will do the same for others.
I'm an admin user on my AWS account, so I have full access. Working through the console, I get no issues. When I try to work with programmatic access though, I get an access denied error. Does anybody have a clue why?
The code and all is OK, it works fine on my other AWS account on which I have admin access as well. Yes, I did change the AWS configuration to match the access keys to the right account.
If you are 100% sure that your code is correctly assuming your admin role and you admin role is having the admin policy, then you should be facing:
The resource(e.g., S3) you are trying to access has some explicit deny policy or not having an allow policy for you user.
IAM service latency. Say if you just create this user with admin access and you try to test that immediately with your code, it might happen that AWS thought you don't have enough permission. That happen to me when I created a new role, I saw delay can be up to 20 minutes, but that kind of delay is rare. But you cannot assume your update to IAM permissions to take effect immediately just like the EC2 security group.
Have you enabled MFA in the IAM account. If so, you cannot directly access the AWS CLI or API with Access key. You need to create a temporary Access and secret key and use those to access the AWS resource
With the access key that you configured earlier you need to create the temp access key. Refer the below links for procedure.
https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
I am trying to deploy JIRA on AWS, but am having a hard time setting it up. I couldn't find any document on how to troubleshoot the following errors.
First one is:
S3 error: Access Denied For more information check
I made a S3 bucket public, and was able to bypass this error, but I don't want it to be public, but since creating a whole new stack, I don't have any information of an instance to adjust allow permission to S3 bucket.
Is there any way to troubleshoot this error without adjusting the bucket to be public?
After bypassing the previous error, I was getting this error:
S3 error: The specified key does not exist.
I definitely couldn't find how to troubleshoot this issue? What needs to be done to fix this error?
The Access Denied indicates that you do not have permissions to access content in Amazon S3. The normal way of providing these permissions is:
Create an IAM Role
Assign permission to the role sufficient to access the S3 bucket
Assign the Role to the Amazon EC2 instance running the software
The specified key does not exist error basically means File Not Found.
If you wish any further trouble shooting tips, you'll need to provide details of what you are doing (eg the commands used) and what specific errors you are receiving.
You may also wish to read:
Getting started with JIRA Data Center on AWS - Atlassian Documentation
JIRA on AWS - Quick Start