Error while creating new IAM role

Question

When I create a new IAM role, in this case I am doing this in order to create an Export Job in AWS RoboMaker I get the following error:

>AccessDeniedException: User: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxx@xxxxxx.it is not authorized to perform: iam:CreatePolicy on resource: policy AWSRoboMakerWorldForgePolicy_eeb50488-b552-91a1-3857-f28790842fd1 because no identity-based policy allows the iam:CreatePolicy action

The point is that everytime I try to create the Export Job with the same settings (same S3 bucket as an output, same IAM role name), this error appears with the same structure, but with a different alpha-numeric sequence after the "AWSRoboMakerWorldForgePolicy_", hence it is unseful also to ask for this permission since it is always different.

Does anyone have any idea?

Accepted Answer

It looks like the operation you're attempting needs to create a policy as well as a role, so your user needs to be granted permission to iam:createPolicy. You can do this through the console if you have access otherwise you'd need to ask your administrator.

The policy name that you're seeing looks to be automatically generated, ending in a GUID. When you're granting access to iam:createPolicy it doesn't make sense to restrict to a specific policy, since that policy won't exist until you've created it. Depending on your use case you may want to limit the by condition keys: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html.

Error while creating new IAM role

Contenuto pertinente