1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
0
Hi,
I have performed testings with the same IAM policy and CloudFormation stack and can replicate the permission error. While looking at CloudTrail, I have found the following log for my IAM role iot-cloudformation:
"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/iot-cloudformation/AWSCloudFormation is not authorized to perform: iot:ListTagsForResource on resource: arn:aws:iot:us-east-1:123456789012:rolealias/MyGreengrassCoreTokenExchangeRoleAlias because no identity-based policy allows the iot:ListTagsForResource action",
Therefore, when CloudFormation manages the IOT role alias resource, it sends an iot:ListTagsForResource event as well. With the following IAM policy, the CloudFormation creation has passed:
{
"Effect": "Allow",
"Action": [
"iot:CreateRoleAlias",
"iot:DeleteRoleAlias",
"iot:DescribeRoleAlias",
"iot:UpdateRoleAlias",
"iot:ListTagsForResource"
],
"Resource": "*"
}
con risposta 9 mesi fa
Aha, the debugging piece I was missing was that I needed to filter the CloudTrail event history by the user name. Then I could see that failed
ListTagsForResource
call. Now that I've addediot:ListTagsForResource
to the policy, my stack (including the role alias) is successfully creating. Thanks!
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
Hello, I'd recommend that you look at CloudTrail to see what exact API call is being denied. This is a good permission debugging technique in general.