Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Not authorized to perform kinesisvideo:GetDataEndpoint despite policy permissions

0

Hi everyone,

I've granted the following IAM policy to a role, intending to allow access to a specific Kinesis Video Stream. However, when running my code, I keep getting this error:

is not authorized to perform: kinesisvideo:GetDataEndpoint on resource

Here is the policy attached to the role:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowKVSForStream", "Effect": "Allow", "Action": [ "kinesisvideo:GetHLSStreamingSessionURL", "kinesisvideo:GetDataEndpoint", "kinesisvideo:GetClip", "kinesisvideo:ListFragments" ], "Resource": [ "arn:aws:kinesisvideo:*:accountId:stream/streamName" ] } ] }

I've replaced accountId and streamName with the correct values in my actual setup. Am I missing something? Is there any extra permission needed to call GetDataEndpoint, or could it be a problem with how I'm specifying the ARN?

Thanks in advance!

Topics
AnalyticsInternet of Things (IoT)Security, Identity, & Compliance
Tags
Amazon KinesisIAM Policies
Language
English
asked a year ago123 views
2 Answers
1
Accepted Answer

Hello.

Looking at the documentation below, what is needed in the Resource section is an ARN in the following format:
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisvideostreams.html

arn:${Partition}:kinesisvideo:${Region}:${Account}:stream/${StreamName}/${CreationTime}

So why not try adding "/*" to the end like this:

"arn:aws:kinesisvideo:*:accountId:stream/streamName/*"
EXPERT
answered a year ago
AWS
EXPERT
reviewed a year ago
0

There are several possible reasons why you're encountering the "not authorized to perform: kinesisvideo:GetDataEndpoint" error despite having attached a policy with the appropriate permissions:

  1. Explicit Deny Overriding Your Allow: There might be an explicit deny statement in another policy attached to the role that is overriding your allow statement. In IAM, deny statements always take precedence over allow statements, even if they're in different policies.

  2. Resource ARN Mismatch: Ensure that the resource ARN in your policy exactly matches the stream you're trying to access. Pay special attention to the region and account ID in the ARN. Even a small typo can cause permission issues.

  3. Service Control Policies (SCPs): If your AWS account is part of an AWS Organization, there might be SCPs in place that are restricting this action across your organization or specific accounts.

  4. Permission Boundaries: Check if any permission boundaries have been set on the role, which could be limiting the effective permissions.

  5. Incorrect Role Assumption: Make sure you're properly assuming the role before attempting to access the resource, especially if working across accounts. You can verify this by running aws sts get-caller-identity to confirm which role you're currently using.

  6. Region Specification: Your policy uses a wildcard for the region (*). If you're trying to access a stream in a specific region, try explicitly specifying that region in the ARN instead of using the wildcard.

To troubleshoot this issue:

  • Review all policies attached to the role, including managed and inline policies
  • Double-check the resource ARN in your policy against the actual stream ARN
  • Use the IAM Policy Simulator to test your policies and identify any missing permissions
  • Check if there are any SCPs affecting your account
  • Ensure you're using the correct credentials when making the API call

If you've verified all of these and are still encountering issues, you might need to contact AWS Support for a more detailed analysis of your account's permission structure.
Sources
Why am I getting an “AccessDenied” error despite attaching an inline policy to the role? | AWS re:Post
How do I troubleshoot when User: arn is no authorized to perform Create * or Delete * or Update * on resource(s) because no identity- policy allows the actions | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content