Lambda function Receives AccessDeniedException When Identity Policy Seems Valid
In the screenshot below notice that the resource defined as arn:aws:dms:* has dms:DescribeReplicationInstances allowed.
It would seem that would allow the Lambda access to DescribeReplicationInstances against any DMS instance. Can someone point out where this is incorrectly configured. Thanks.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeReplicationInstances operation: User: arn:aws:sts::XXXXX:assumed-role/XXXX-data-env-stop-blu-tsm-us-east-1-role66aefb90c059b353/XXXdata-env-stop-blu-tsm is not authorized to perform: dms:DescribeReplicationInstances because no identity-based policy allows the dms:DescribeReplicationInstances action
- Newest
- Most votes
- Most comments
Though it'd give better clarity if you could add json policy here, but here is what I suspect happening:
DescribeReplicationInstances action does not support resource-level permissions, so you should specify "*" in resources field in IAM your policy attached to this role.
Please see DescribeReplicationInstances in this Documentation. ResourceType column in this table is empty, which means you need to specify "*" in resource section of your IAM policy for this action.
Hope you find this helpful.
Abhishek
Relevant content
- asked 7 months ago
- asked 2 years ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
I will accept this answer, however, we have a checkov scan, set to soft-fail, against "" on a resource. We mitigated that and removed the "" that was put there based along the lines of what you mention above. Thanks for clarification.
Yeah, I completely get that and many organization put similar constraints however there are many such cases in cloudformation itself, which can't be avoided other than putting "*" in resource, if we want to use certain things. One other example that I comes to my mind is ec2:DeleteNetworkInterface.