Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Changing from Resource * to Explicit Access Results in An error occurred (AccessDeniedException)

0

While attempting to migrate all occurrences of "Resource": "*" there is one IAM Policy that does not work as expected. It is resulting in an access denied error and there is no clear reason why.

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeReplicationInstances operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/xxx-xxx-data-env-stop-blu-dev-us-east-1-rolef2288a3ea069e71d/xxx-data-env-stop-blu-dev is not authorized to perform: dms:DescribeReplicationInstances because no identity-based policy allows the dms:DescribeReplicationInstances action

The error occurs in a Lambda that stops/starts dms and rds instances on a given schedule.

Curently, there are only three Replication Instances and all of them are listed in the Resource section of the policy.

Here is the Resource Section of the Lambda Configuration showing the 3 DMS instances as resources for the DescribeReplicationAccess Action.

Enter image description here

Here is the pertinent section of the Lambda's Role Document: (There is no access denied error when the * wildcard is used here for Resource) Enter image description here

Here are the three DMS Replication Instances.

Enter image description here

Can anyone point out what is missing. Does DescribeReplicationInstances require a wildcard in order to work?

Argomenti
Migrazione e modernizzazioneSicurezza, identità e conformità
Tag
Servizio di migrazione dei database AWSGestione identità e accesso AWS
Lingua
English
profile picture
Ross Bush
posta un anno fa435 visualizzazioni
1 Risposta
0
Risposta accettata

Hey Ross, DescribeReplicationInstances action does not support resource-level permissions. Which means, there needs to be a "*" in resources field in IAM policy.

Please refer below document and search for 'DescribeReplicationInstances' https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement.

AWS
Hrishikesh_L
con risposta un anno fa
profile picture
ESPERTO
Sedat Salman
verificato un anno fa
  • Ross Bush
    un anno fa

    Solved. Thanks for the quick reply and the link.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente