You mentioned "explicit denial", and you don't have Deny statements in your IAM principal's policies, right? Then there must be a Deny statement elsewhere. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html - it could be in an Organization SCP, Resource policy (though I don't think Gamelift has these) or a Permissions Boundary.
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- EXPERTpublished 8 months ago
- EXPERTpublished 2 months ago
It looks like the culprit was a group policy that I created which forces the user to authenticate with MFA; otherwise, they do not have access to anything. I'm assuming there is a way to add MFA within the local AWS CLI? --EDIT-- Solved. Just had to grab the session token.