I have permissions to create lambda functions, as well as RDS instances. I am able to use these tools via the AWS console without issue. However, each of the following commands fail:
$ aws lambda list-functions
An error occurred (AccessDeniedException) when calling the ListFunctions
operation: User: arn:aws:iam::<IAM ID>:user/<username> is not
authorized to perform: lambda:ListFunctions on resource: * with an explicit deny
$ aws rds describe-db-instances
An error occurred (AccessDenied) when calling the DescribeDBInstances
operation: User: arn:aws:iam::<IAM ID>:user/<username> is not
authorized to perform: rds:DescribeDBInstances with an explicit deny
Are there separate permissions that are needed for CLI access?
#Michael-sqlbot helped me realize that I was not using MFA on the CLI, which is what caused the error. I followed the instructions listed on Using Temporary Security Credentials to Request Access to AWS Resources - AWS Identity and Access Management to solve my problem.
Related
botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
Up until now I have been able to run aws sts assume-role --role-arn arn:aws:iam::<accountID>:role/<iam_role> --role-session-name <a_session_name> --profile <the_profile_name> without a hitch...
Now I'm getting an error An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<accountID>:assumed-role/<iam_role>/botocore-session-xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountId>:role/<iam_role>
Is this due to me being in an assumed role state and then attempting to assume the same role again? If that is the case then whats the solution for clearing out the botocore cache?
I have cleared the ~/.aws/cache directory
I have been successful assuming this role until today, no security credentials have been removed from my AWS account
I've killed and restated iTerm session
executing aws sts get-caller-identity --profile picklerick nets me the same results: both arn: and userId have the same botocore-session-xxxxx attached
these question are not dupes of this question:
Access denied when assuming role as IAM user via boto3
AWS cli: not authorized to perform: sts:AssumeRole on resource
python boto3 error: Not authorized to perform assumed role on resource
if any of this makes sense to you then you might also be able to explain what caused this in the first place - i've had no issues up until this, never cared or saw mention of boto
AWS CLI is throwing this error. Am I doing something wrong or does my institution simply not allow me to connect? What's the point if this is valid? Frustrated.
CLI is throwing this error -
Error while pushing the public key:
An error occurred (AccessDeniedException) when calling the SendSSHPublicKey operation: User: arn:aws:sts::550549147475:assumed-role/vocstartsoft/user1366934=ag618#g.harvard.edu is not authorized to perform: ec2-instance-connect:SendSSHPublicKey on resource: arn:aws:ec2:us-east-1:550549147475:instance/i-0d13f5839e0d3dd00 with an explicit deny
The operation you are trying to perform has been explicit denied. This means that AWS Educate prohibits such an action and you can't change that.
Please note, that AWS Educate Starter Accounts are very limited, and only a handful of services and operations are allowed:
AWS Services Supported with AWS Educate Starter Account
I started to work with AWS SageMaker. I have an AWS Starter Account. I have been trying to deploy a built-in algorithm for 2 days but I always get AccessDeniedException despite the fact that I created IAM role according to https://aws.amazon.com/tr/getting-started/tutorials/build-train-deploy-machine-learning-model-sagemaker/
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::161745376217:assumed-role/AmazonSageMaker-ExecutionRole-20200203T194557/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:161745376217:training-job/blazingtext-2020-02-03-18-12-14-017 with an explicit deny
Could you help me to solve this problem ?
Thank you so much
You have created a role for SageMaker to access S3 bucket, but it seems your IAM user doesn't have access to SageMaker service. Please make sure your IAM user has permission to SageMaker.
This error usually occurs, if you have an AWS Educate account. It restricts you to take full control of the Sagemaker service. In this case, I'd recommend you to access AWS using regular AWS account.
When I try to login using federated login for AWS CLI, I get this error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRoleWithSAML operation: Not authorized to perform sts:AssumeRoleWithSAML
This prevents me from logging into AWS CLI, and I need that so I can access our CodeCommit repo.
How should I fix this error, do I need to specify the role explicitly?
It turned out I did need to specify the role explicitly, by its ARN.
aws_cli_login --role arn:aws:iam::28475767868:role/my-role
It worked after that. Probably when I didn't specify a role it tried some default role for which I didn't have access.