Why do I see the "User is not authorized to perform: fsx:action" error on my FSx for ONTAP file system?

2 minute read
0

I receive the "User is not authorized to perform: fsx: action" error when I try to perform an action on my Amazon FSx for NetApp ONTAP file system.

Short description

To perform actions on your file system, you must have the required permissions in your AWS Identify and Access Management (IAM) user policy. If you don't have the required permissions, then you receive the following error:

"User: arn:aws:iam::accountid:user/my-user is not authorized to perform: fsxaction on resource: my-resource" because no identity-based policy allows the fsx:action action."

Resolution

Use CloudTrail to identify the issue

1.    Open the AWS CloudTrail console, and then choose Event history.

2.    Under Lookup attributes, choose the Event source filter, and then choose fsx.amazonaws.com to see all Amazon FSx events.

3.    Find the error for the action (for example, CreateStorageVirtualMachine), and then verify the Event time.

4.    Select the failed event to see the event details and event record.

Sample CloudTrail event

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "ABCD123456789",
        "arn": "arn:aws:iam::accountid:user/my-user",
        "accountId": "accountid",
        "accessKeyId": "ABCD123456789",
        "userName": "my-user",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2023-09-02T06:13:06Z",
                "mfaAuthenticated": "false"
            }
        }
    },
    "eventTime": "2023-09-02T06:14:59Z",
    "eventSource": "fsx.amazonaws.com",
    "eventName": "CreateStorageVirtualMachine",
    "awsRegion": "region",
    "sourceIPAddress": "",
    "userAgent": "",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:iam::accountid:user/my-user is not authorized to perform: fsx:CreateStorageVirtualMachine on resource: arn:aws:fsx::accountid:file-system/fs-123456789 because no identity-based policy allows the fsx:CreateStorageVirtualMachine action",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "",
    "eventID": "",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "accountid",
    "eventCategory": "Management",
    "tlsDetails": {
        "tlsVersion": "",
        "cipherSuite": "",
        "clientProvidedHostHeader": "fsx..amazonaws.com"
    },
    "sessionCredentialFromConsole": "true"
}

In the preceding example, the IAM user policy for my-user must be updated to allow access to fs-123456789 for the fsx:CreateStorageVirtualMachine action.

Allow the action

1.    Validate the details of the action that you want to allow. For more information, see Actions defined by Amazon FSx.

2.    Update your IAM policy to allow access to the resource for the action.

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago