Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

UnauthorizedError when using resource-explorer-2 search operation

0

I created a resource explorer index in us-east-2 with this command:

aws resource-explorer-2 create-index --region us-east-2

I verified it was ready:

aws resource-explorer-2 get-index --region us-east-2

{
    "Arn": "arn:aws:resource-explorer-2:us-east-2:123456123456:index/c8a3afa7-aca7-4d74-a5d9-7bef74385371",
    "CreatedAt": "2025-02-08T18:53:50.523000+00:00",
    "LastUpdatedAt": "2025-02-08T18:53:50.523000+00:00",
    "ReplicatingTo": [],
    "State": "ACTIVE",
    "Tags": {},
    "Type": "LOCAL"
}

When I try to search against the index, I get an UnauthorizedException

aws resource-explorer-2 search --query-string "*" --region us-east-2

An error occurred (UnauthorizedException) when calling the Search operation: Unauthorized

My user already had an AdministratorAccess policy attached to it, which should allow searching. Just in case I also added AWSResourceExplorerFullAccess to the user, which did not fix it.

Why am I getting UnauthorizedExceptions searching for resources in an index I created?

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Resource Explorer
Language
English
asked a year ago358 views
1 Answer
1

The UnauthorizedException you're encountering when trying to search using AWS Resource Explorer is likely due to insufficient permissions, specifically related to views in Resource Explorer.

Even though you have created an index and have AdministratorAccess and AWSResourceExplorerFullAccess policies, Resource Explorer requires specific permissions to perform search operations on a view.

To resolve this issue, you need to ensure that your IAM user or role has permissions to both get a view and perform a search operation. Specifically, you need the following permissions:

  1. resource-explorer-2:GetView
  2. resource-explorer-2:Search

These permissions should be granted on a view that resides in the region where you're making the search request (in your case, us-east-2).

If you haven't specified a view in your search request, Resource Explorer automatically uses the default view for the region. It's possible that you don't have the necessary permissions for this default view.

To fix this, you can either:

  1. Create a new view and grant yourself the necessary permissions for that view.
  2. Modify your existing IAM policy to include permissions for all views in the region.

You can add a statement like this to your IAM policy:

{
    "Effect": "Allow",
    "Action": [ 
        "resource-explorer-2:GetView",
        "resource-explorer-2:Search"
    ],
    "Resource": "arn:aws:resource-explorer-2:us-east-2:123456123456:view/*"
}

This will grant you permissions to get and search all views in the us-east-2 region.

After adding these permissions, you should be able to perform the search operation without encountering the UnauthorizedException.
Sources
Troubleshooting Resource Explorer search issues - AWS Resource Explorer
Troubleshooting AWS Resource Explorer permissions - AWS Resource Explorer

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content