Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Lack of "workspaces:RegisterWorkspaceDirectory" permission when registering a Workspaces Directory

0

Hi, I am using Terraform to provision a new Amazon Workspaces. I have an AD Connector created and linked to our internal domain. The next step is to create a Workspaces Directory. Part of creation is to link the Directory to the AD Connector using the Terraform "aws_workspaces_directory" resource. However, I've got the following error when running the Terraform code even though the user below is granted AmazonWorkSpacesAdmin & AWSDirectoryServiceFullAccess permission policies.

Error: error registering WorkSpaces Directory (d-xxxxxxxxxx): AccessDeniedException: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: workspaces:RegisterWorkspaceDirectory on resource: arn:aws:workspaces:us-east-1:xxxxx:directory/d-xxxxxxx because no identity-based policy allows the workspaces:RegisterWorkspaceDirectory action

Is there anybody who knows what permission policy is needed to grant the "workspaces:RegisterWorkspaceDirectory" action? If I read the error correctly, the user is lack of permission to register workspace directory with the AD connector? If so, how do I check who has such permission on the AD Connector?

Thank you.

Themen
Endbenutzer-ComputingSicherheit, Identität & Konformität
Tags
Amazon WorkSpacesAWS Identity and Access ManagementAWS Directory ServiceIAM-Richtlinien
Sprache
English
AWSLearner66
gefragt vor 2 Jahren734 Aufrufe
2 Antworten
0
Akzeptierte Antwort

I can't find that permission in any of the managed policies (including AmazonWorkSpacesAdmin) aside from granting AdministratorAccess, so I'd recommend attaching an inline policy [1] to your IAM user similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:RegisterWorkspaceDirectory",
      ],
      "Resource": "*"
    }
  ]
}

You might need to add more permissions (or just workspaces:*) to this if you get any more errors like this.

Looking at the docs, you'll also need to create the workspaces_DefaultRole if you haven't already.

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html

Ed
beantwortet vor 2 Jahren
0

Thanks, Ed! You suggestion works well. I am surprised even AmazonWorkSpacesAdmin permission policy does not include the register action. Appreciate your quick reply!

AWSLearner66
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt