I've got an issue where a Cognito-authenticated user seems to have the correct permissions to interact with SSM, but all calls to SSM are being rejected. Here's what my policy looks like:
Cognito Role
Of course in a production environment we won't have open permissions like that and certainly won't have the Administrator policy attached, but this was to test as well as make the point that we really can't authenticate here.
I should add that we can access our dynamodb resources using tha policy with no issues, it's just SSM giving us trouble. We're getting error messages similar to this:
AccessDeniedException: User: arn:aws:sts::ACCOUNTID:assumed-role/COGNITOROLE is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:ACCOUNTID:parameter/
where I've replaced the account number and role name. Does anyone know what I'm doing wrong? Thanks a ton in advance.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I'm trying to setup my aws cli. I downloaded it and everything worked.
Now I wanted to log in from my powershell script.
Set-AWSCredentials –AccessKey key-name –SecretKey key-name
Because I don't have any users at the moment I had to create one. I have given the user admin rights.
When creating the user aws throws this error:
User: arn:aws:sts::37197122623409:assumed-role/voclabs/user2135080=.... is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::371237422423709:user/.... because no identity-based policy allows the iam:CreateUser action
My first thought was that my education account is having a problem. But I didn't find anything about it. Thanks for your help in advance.
The "voclab" part of the error suggests you are not logged as the account root user but instead assuming a role in an account used for teaching purposes.
This role is probably designed to disallow IAM actions, in order to prevent privilege escalation.
Read
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html to get role credentials for the role you're assuming
You can't make any IAM roles, policies or users as a student using voclabs account. AWS Academy does not allow to do that and its a hard limit which you nor your educator can change.
I have 2 AWS accounts, one personal and a client account.
Personal account:
account id: 789XXXXXX
Client account:
account id: 123XXXXXX
I'm working on the client and tried to run my lambda function locally, when I do I get the following error: AccessDeniedException: User: arn:aws:iam::789XXXXXX:user/amplify-pUDkX is not authorized to perform: secretsmanager:GetSecretValue on resource: postgres-secret because no identity-based policy allows the secretsmanager:GetSecretValue action.
I was a bit confused as this function had been working previously, once I looked into the error message I noticed that the user amplify-pUDkX didn't even exist on the client account and that the AWS account id along with the user actually matched up to my personal account. I've already run amplify configure and it's connected to the client account, I've also been making updates to the resources on the client account through the amplify cli so I know I'm not signed into the wrong account.
Also just to note, when the function gets deployed it's able to function no problem so this is only happening on my local machine.
I'd appreciate any help, thanks.
This is due to saved aws credentials in C:\Users\username\.aws. You can remove the ones not required. Also while setting up the app using cli you get the option to choose profile to avoid this issue.
I need to access a DynamoDB in AWS on my computer, where I have set up my credentials in AWS CLI. ALthough my provided user has the appropriate access authorization I get this error message, always when I have to get an Item from my database-table:
User: arn:aws:iam::[user-number]:user/[username] is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-1:[user-number]:table/data_table_1 with an explicit deny
As already said, this user is authorized by the administrator to perform this request.
Maybe I am overseeing something or it has to do sth. with this "explicit deny".
I appreciate your help. Thanks
**For the Policies MFA must be present. So maybe I have to authorize myself with MFA device? How do I do that (if I am correct) via the AWS CLI?
we have an aws 'test' account created by our aws Organization.
i was creating some roles for testing purposes, but i'm totally unable to delete them, even with the root account. The error is:
User: arn:aws:iam::xxxxxxxxxxxx:root is not authorized to perform: iam:DeleteRole on resource: role test with an explicit deny.
i have no policy attached on the rule, everything seems fine.
Btw, the same scenario works correctly on the organization master account, i can delete roles there.
Anyone can help?
Thanks
D.
It looks like that either there is a policy attached to user (or to a group to which user belongs) which is denying this action.
You can also confirm if this role is assigned to some instance profile or to another user/group.