How do I resolve "Access Denied" errors with the ReadOnlyAccess policy in IAM?
I need to resolve "Access Denied" errors that I get after I attached the ReadOnlyAccess policy to an AWS Identity and Access Management (IAM) identity.
Resolution
ReadOnlyAccess doesn't include every read-only action for every AWS service. To resolve "Access Denied" errors, identify the missing permission, and then add the permissions to a customer managed policy.
Identify missing permissions for your specific service
If you didn't configure the policy to include permissions for an action, then you receive an error message similar to the following:
"User arn:aws:iam::123456789012:user/example-user is not authorized to perform: servicename:ActionName on resource: arn:aws:servicename:us-east-1:123456789012:resource"
In the preceding error example, the user can't perform the servicename:ActionName action.
Make sure that you correctly configured actions for your IAM identity in the ReadOnlyAccess policy.
Note: Use the ViewOnlyAccess policy to grant access to list and describe resources without data read permissions. For more information, see AWS managed policies for job functions.
Add missing permissions with a customer managed policy
You can't modify AWS managed policies. To add missing permissions, you must attach a customer managed policy.
To add the missing read-only permissions, create a customer managed policy. The following IAM JSON policy allows the missing read-only action:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "servicename:ActionName" ], "Resource": "*" } ] }
Note: In the preceding example, servicename:ActionName represents the action that was denied. Replace it with the specific action from your error message. The wildcard (*) in the Resource element grants access to all resources for that action. It's a best practice to scope the Resource element to specific resource ARNs instead of using the wildcard when possible.
- Language
- English
Relevant content
- asked 4 years ago
