Access Denied error while trying to use AWS CLI commands - amazon-web-services

I have a user in AWS having Full admin access but still when I try to describe my EC2 instances or List S3 buckets, I get an Access denied error message - examples below. Any help will be greatly appreciated.
aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
aws ec2 describe-instances --region eu-west-2
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

From the command prompt or Linux shell type "aws configure". Verify that the credentials and default region are correct (the last four characters will be displayed). I had the same problem today and I forgot to configure my access keys on a new machine.

Related

aws broken AuthFailure on EC2

My aws is suddenly throwing error everywhere since yesterday.
(on windows terminal, WSL2 ubuntu) Couple days ago terraform worked fine. So I know aws credentials are accurate but to be sure I did
aws configure --profile mohit
Access Key ID [None]: aws_access_key_id
Secret Access Key [None]: default_secret_key
Default region name [None]: us-east-1
Default output format [None]: json
and executed
aws ec2 --profile mohit describe-instances --region ap-south-1
IAM user has Administrator access.So that rules out permission issues.
Also I tried Bunch of different regions, none worked.
An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials
This error is consistent.
AWS says time might be out of sync with amazon.
I tried the solution and
ntpdate[172]: the NTP socket is in use, exiting this error popped.
Also
sudo service ntp stop
>> ntp: unrecognized service
and
Fatal error : adjtimex(0x8001) failed : Function not implemented on trying to do chronyd on WSL2 ubuntu.
How do I fix this?
UPDATE :
I checked my BIOS and clock was off by 5 min there as well (I would love to know the reason) So I manually set it to time.gov UTC.
Problem Solved, but Reason is still unknown!

InvalidClientTokenId when calling get-caller-identity on an AWS EC2 instance with instance profile

We're having an issue where we're on a CentOS EC2 instance that is using a role through an attached instance profile. When we're on the console after SSHing in, we run the python awscli command line tool to get our identity:
$ aws sts get-caller-identity
we're getting
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
other commands, such as aws ec2 describe-instances work and are allowed by the instance profile.
From reading the AWS documentation, no permissions should be required to get-caller-identity and there's no explicit deny set on the role associated with instance.
We checked and there's no .aws/credentials file and no env variables set, so access should be entirely managed through the metadata service on the EC2 instance.
Is there something missing in our setup or invocation of the awscli that might cause the permission to fail?
Just documenting the fix for anyone that runs into this issue.
All calls to the awscli should probably include a --region <region> parameter.
E.g.
$ aws sts get-caller-identity --region us-east-2
We were prompted for the region on our aws ec2 describe-instances call but on the aws sts get-caller-identity call, it just failed.
Additionally, we found that the AWS_REGION environment variable didn't seem to affect calls: we still needed to include the --region <region> parameter.

Receiving Error "An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation"

Im am currently trying to login to the Amazon ECR using the following command aws ecr get-login --region eu-west-2 --no-include-email and am recieveing the following error;
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::************:user/referral is not authorized to perform: ecr:GetAuthorizationToken on resource:
Here is what I have currently tried;
Assinging amazonec2containerregistryfullaccess to both user and group
2FA disabled
I also tried to add a Statement within the premissions section of the repo that I had created within Amazon ECR
All the solutions above failed and I am still receieveing the same error, any help on this would be greatly appreciated !
Changing access tokens in both ~/.aws/credentials and ~/.aws/config worked for me.
sudo vim ~/.aws/config
sudo vim ~/.aws/credentials

How to set the user for the AWS CLI

After installing awscli (the AWS command line tool), when I try to run it. I get this message in the terminal:
$ aws dynamodb describe-table --table-name MyTable
An error occurred (AccessDeniedException) when calling the DescribeTable operation:
User: arn:aws:iam::213352837455:user/someuser is not authorized to
perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:ap-northeast-1:213352837455:table/MyTable
$
But I don't know why I am considered logged as someuser at this moment (in the terminal in particular, but even in AWS).
someuser is only one of the few users I have set on AWS, a while ago.
What is the way to get logged in as the right user, to use awscli?
If you are running the AWS Command-Line Interface (CLI) on an Amazon EC2 instance that has been assigned a role, then the CLI can use the permissions associated with that role.
If you are not running on an EC2 instance, then you can provide credentials via a credentials file (~/.aws/credentials) or an environment variable.
The easiest way to configure the credentials is:
$ aws configure
See: Configuring the AWS CLI
Maybe your old credentials are still stored in ~/.aws.
Log in with correct credentials
aws configure
For more info see Configuring the AWS CLI
in official documentation.

Running AWS CLI commands as ec2-user

I'm trying to use the AWS CLi for the first time, and I am doing it through putty by SSHing to the ec2 instance.
I want to run a command like "aws ec2 authorize-security-group-ingress [options]"
But I get the following error: "A client error (UnauthorizedOperation) occurred when calling the AuthorizeSecurityGroupIngress operation: You are not authorized to perform this operation."
I believe that this is related to IAM user credentials. I have found out where to create IAM users, however I still don't understand how this helps me to execute this command when I'm logged into the server as ec2-user or root, or run the command through CRON.
I have done a fair amount of reading regarding the access controls on AWS in their documentation, but I seem to be missing something.
How can I allow the command to be executed from within the AWS instance?
The missing information I was looking for is the command: aws configure
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: json