Admin access denied with programmatic access in AWS - amazon-web-services

I'm an admin user on my AWS account, so I have full access. Working through the console, I get no issues. When I try to work with programmatic access though, I get an access denied error. Does anybody have a clue why?
The code and all is OK, it works fine on my other AWS account on which I have admin access as well. Yes, I did change the AWS configuration to match the access keys to the right account.

If you are 100% sure that your code is correctly assuming your admin role and you admin role is having the admin policy, then you should be facing:
The resource(e.g., S3) you are trying to access has some explicit deny policy or not having an allow policy for you user.
IAM service latency. Say if you just create this user with admin access and you try to test that immediately with your code, it might happen that AWS thought you don't have enough permission. That happen to me when I created a new role, I saw delay can be up to 20 minutes, but that kind of delay is rare. But you cannot assume your update to IAM permissions to take effect immediately just like the EC2 security group.

Have you enabled MFA in the IAM account. If so, you cannot directly access the AWS CLI or API with Access key. You need to create a temporary Access and secret key and use those to access the AWS resource
With the access key that you configured earlier you need to create the temp access key. Refer the below links for procedure.
https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/

Related

Problem on creating access tokens for IAMUSER via aws educate account

I want to use aws s3 on my laravel project , for this i created a bucket on s3 and also created IAMUSER and give it "S3FullAccess" permission but it create user with some error, access_key not created...
I use my vocareum account credentails (found on Account details button) but laravel gives an error "Invalid access token".
please help...
e
On AWS Educate Starter Account you can't create access keys for IAM users. From their docs:
You can create users, but cannot associate login profile or access keys for them
The AWS Educate accounts have a lot of limitations and they just barely allow to do what you need to do in your classrooms.
It appears that the user you are logging into AWS as is not an administrator user, or certainly lacks some administration permissions.
I'm not familiar with Vocareum but it seems to be some sort of learning management system - I presume you are using an AWS account that they control, which would explain the lack of privileges. If that is the case, and it is their AWS account that you are accessing, then you will need to raise a support case with them.
If this is your account, and you created this user, then you need to log into the account as the root user you created when you configured your AWS account and use it to create an access key for this current user.

How to check which permissions I have as an IAM user

I'm totally new to AWS and learning about IAM. I was wondering if there is a way around for an IAM user to check what all permission he/she have? Like as a root user, I created a group of IAM users where they were only allowed to use S3 service but once I logged in as an IAM user, it was showing that I have access to other AWS services as well like running EC2 instances, etc which I reckon shouldn't be the case. Thanks!
No, it isn't possible to "show" which services you have access to use, because the policies can be quite complex (eg permission to access an S3 bucket, but only a particular sub-folder if coming from a given range of IP addresses).
You would need to look the the IAM Policies attached to the IAM User, plus the policies on any IAM Groups they are in. Then, some services like Amazon S3 have additional permissions such as Bucket Policies.
In addition, AWS Organizations can limit the permissions of all users within an AWS Account, so even if a user appears to be granted certain permissions, they might not actually be available for use.
In many situations, you'll only know if you can do something by actually trying it. For example, you might have Read Only permissions, which means you can see resources in the AWS Console, but you would receive an error when you try to change things.
All services are available in the AWS Console, but various parts of the console will only work if you have adequate permission.
Note that there's IAM Policy Simulator from AWS. You can select a service and check if a given user has access to any given action (or all actions relevant to a service)

Which IAM user am I in the console?

I am a bit confused about AWS IAM. which user am I when I'm in the console? I am currently trying to make a s3 policy for one of my buckets. and I'm getting an error saying Access denied which I believe is due to not having the correct permissions for one user. so I gave this user fullS3 access. but I'm still getting Access denied.
so which user does the console think I am? if that makes sense? or how can I give that user controlling the console the correct s3 access?
The user you are in the console is whichever user you logged in as. If you haven't created a user, and you're logging in to the console with your email address, then you're the root user, which has full permissions. There are still some reasons that you could be getting access denied though.
Is it possible you've already applied a bucket policy which denies access to all? If so, you could try deleting the current policy rather than changing it in the console, then applying the new one. Sometimes you will need to remove the policy with the CLI though.
If not, could it be this issue? Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)
If neither of these work, please confirm which user you are logged in as (it'll say in the top right hand corner), and the JSON for the policy you're trying to apply.

AWS Which IAM Role For S3 Presigned URL

I am deploying a server program in an ec2 instance which needs to be able to create pre-signed urls for s3. So far I've had my AWS credentials in environment variables for testing, but I would like to switch to the IAM Role strategy now. However, I am unsure as to which policies the role should have access too. My initial guess is to have AmazonS3FullAccess, but the description says "Provides full access to all buckets via the AWS Management Console" but the ec2 instance will be using the c++ sdk, not the management console. Or is the policy not important, just that it has a policy so it gets credentials somehow?
You're confusing policies and roles.
a policy grants permissions to a user or to a role or to a group.
the difference between a user and a role is subtle, but basically a role is something that's assumed by other services in AWS, like an EC2 instance, while a user is generally just an identity you've created for use in AWS.
The policy description for full access may make mention to the management console, but it grants full access to all buckets whether through the console, the api or an sdk, they're all really the same thing under the hood.
You should not use the fullaccess policy. You could use it as a base to build your real policy, but IAM should always use the least privilege principal, where you only give the permissions that are absolutely required, in this case the role only needs read and possibly list permissions on the specific bucket in question if generating urls for reading, or put permissions if allowing uploads.

Amazon Web Services read-only account?

Is there an option to grant read-only access to an Amazon Web Services (AWS) account?
What I'd like to achieve is to be able to see instances and configurations without having to log in as a user who has administrative permissions to avoid accidental changes.
No. An AWS Account cannot be made "read-only".
However, you can create a User in Identity and Access Management (IAM) and assign them "Read Only" permissions, which means they can interact with AWS but cannot change anything. However, this would still require that they login or at least use a set of credentials with calling the API or using the Command-Line Interface (CLI).
If your main goal is to avoid accidental changes, try this:
Create a User in IAM who has minimal permissions (eg read-only, and probably also permissions to create new resources such as buckets and instances)
Create a Role in IAM that has elevated permissions
Setup the User with the ability to "assume" the Role within the web browser
This way, the User won't have 'dangerous' permissions unless they specifically request it. A visual indication then shows when they are using this alternate role (which can also grant access to a different AWS Account).
For details, see:
Blog: Cross-Account Access in the AWS Management Console
Article: Enable a New Feature in the AWS Management Console: Cross-Account Access