Not authorized to perform rds:ModifyDBInstance using AWS CLI
I am trying to automate the process of restoring rds DB using AWS CLI and I am able to restore rds using snapshot with AWS CLI. However when I tried to modify the restore DB instance to change the backup retention period to 0 using AWS CLI (below) I encountered an error related to permission:
An error occurred (AccessDenied) when calling the ModifyDBInstance operation: User: arn:aws:iam::888888888:user/cliuser is not authorized to perform: rds:ModifyDBInstance on resource: arn:aws:rds:ap-xxxxx-99:888888888:db:aaaaa because no identity-based policy allows the rds:ModifyDBInstance action
However, I am able to modify the restored DB instance aaaaa using AWS management console. Do I need explicit permission to modify DB instance even I already can using AWS management console?
- Newest
- Most votes
- Most comments
Hello.
Did you run the AWS CLI on your local PC?
In that case, you need to check whether the access key can be issued from the correct IAM user.
You can check the IAM user you are using by running the command below.
Check that the IAM user has the necessary permissions.
aws sts get-caller-identity
By the way, is the database you tried to change Aurora?
Please note that in the case of Aurora, the retention period cannot be set to 0.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html
For Amazon Aurora DB clusters, the default backup retention period is one day regardless of how the DB cluster is created.
You can't disable automated backups on Aurora. The backup retention period for Aurora is managed by the DB cluster.
Please check if the policy associated with your user contains conditions to deny requests via the CLI. If you have permissions to perform actions via the AWS Management Console but not via the CLI, you should have a policy similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:ModifyDBInstance",
"Resource": "arn:aws:rds:ap-xxxxx-99:888888888:db:aaaaa",
},
{
"Effect": "Deny",
"Action": "rds:ModifyDBInstance",
"Resource": "arn:aws:rds:ap-xxxxx-99:888888888:db:aaaaa",
"Condition": {
"StringEquals": {
"aws:UserAgent": "aws-cli/*"
}
}
}
]
}
This policy allows the modification of a database instance (rds:ModifyDBInstance) if the user agent is identified as coming from the AWS Management Console. However, it denies the modification of the same instance via the AWS CLI (aws-cli/*).
Relevant content
- asked 2 years ago
- asked 3 months ago
- asked 3 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
aws sts get-caller-identity { "UserId": "AAAAAAAAAAAAAAAAA", "Account": "85555555555", "Arn": "arn:aws:iam::85555555555:user/cliuser" } It is the same user account as my login to AWS management console. I run AWS CLI on an EC2. What is the aws cli I can use to check my permission?
What IAM policy is set for the IAM user named cliuser? Also, if you are running on EC2, I think it is better to use IAM roles instead of using IAM user access keys. By the way, will it be successful if I execute the "modify-db-instance" command in CloudShell? https://docs.aws.amazon.com/cloudshell/latest/userguide/welcome.html