1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
Hi,
I have performed testings with the same IAM policy and CloudFormation stack and can replicate the permission error. While looking at CloudTrail, I have found the following log for my IAM role iot-cloudformation:
"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/iot-cloudformation/AWSCloudFormation is not authorized to perform: iot:ListTagsForResource on resource: arn:aws:iot:us-east-1:123456789012:rolealias/MyGreengrassCoreTokenExchangeRoleAlias because no identity-based policy allows the iot:ListTagsForResource action",
Therefore, when CloudFormation manages the IOT role alias resource, it sends an iot:ListTagsForResource event as well. With the following IAM policy, the CloudFormation creation has passed:
{
"Effect": "Allow",
"Action": [
"iot:CreateRoleAlias",
"iot:DeleteRoleAlias",
"iot:DescribeRoleAlias",
"iot:UpdateRoleAlias",
"iot:ListTagsForResource"
],
"Resource": "*"
}
답변함 9달 전
Aha, the debugging piece I was missing was that I needed to filter the CloudTrail event history by the user name. Then I could see that failed
ListTagsForResource
call. Now that I've addediot:ListTagsForResource
to the policy, my stack (including the role alias) is successfully creating. Thanks!
관련 콘텐츠
- 질문됨 한 달 전
- AWS 공식업데이트됨 일 년 전
Hello, I'd recommend that you look at CloudTrail to see what exact API call is being denied. This is a good permission debugging technique in general.