AWS CLI Denied Permission Due to IAM Policy - Policy has all permissions correct. Previously worked fine.


I had to update my CLI on a few devices, and I am now unable to access anything pertaining to gamelift's API via an explicit denial. I double checked the permission policy that I assigned to the IAM user, and while it is set to allow full access to resources, it will not work.

Any suggestions or recommendations? I have also tried re-creating the policy via JSON and the visual GUI. I even tried creating a new user to use, and nothing works. I even ended up uninstalling the CLI tool and deleting the configuration and credential files multiple times trying to see if that would fix the issue.

Policy below:

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "gamelift:", "Resource": "" } }

1 Answer
Accepted Answer

You mentioned "explicit denial", and you don't have Deny statements in your IAM principal's policies, right? Then there must be a Deny statement elsewhere. See - it could be in an Organization SCP, Resource policy (though I don't think Gamelift has these) or a Permissions Boundary.

answered a month ago
  • It looks like the culprit was a group policy that I created which forces the user to authenticate with MFA; otherwise, they do not have access to anything. I'm assuming there is a way to add MFA within the local AWS CLI? --EDIT-- Solved. Just had to grab the session token.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions