Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How To Be Authorized To Use CLI As Root Admin/User?

0

[cloudshell-user@ip-{address} ~]$ aws lexv2-models describe-bot --bot-id your-bot-id

An error occurred (AccessDeniedException) when calling the DescribeBot operation: User: >arn:aws:iam::[userid]:root is not authorized to perform: null

Problem is I am the root user/admin, I already attached SystemAdministrator and AmazonLexFullAccess policies to the permission set in IAM Identity Center, and I just want to edit some settings that I can't seem to access in the Lex console like Idle Session Timeout. And no, I did not set anything up in IAM Console because that's confusing to me and sort of redundant according to AWS themselves.

Have tried to configure SSO through the CLI, but I don't understand why I have to give myself that access when as a root admin/user, it should be given to me by default? Not even sure what my username is, but I do know my account name and account/user ID. I can provide other information upon request, but I won't be sharing any confidential information.

Topics
Machine Learning & AISecurity, Identity, & Compliance
Tags
AWS IAM Identity CenterAWS Identity and Access ManagementAmazon Lex
Language
English
asked 2 years ago629 views
2 Answers
1
Accepted Answer

Works fine for root user

$ aws sts get-caller-identity 
{
    "UserId": "9**********4",
    "Account": "9**********4",
    "Arn": "arn:aws:iam::9**********4:root"
}

$ aws lexv2-models describe-bot --bot-id D979UA813X
{
    "botId": "D979UA813X",
    "botName": "test",
    "roleArn": "arn:aws:iam::9**********4:role/aws-service-role/lexv2.amazonaws.com/AWSServiceRoleForLexV2Bots_1G7Z1IPTQA5",
    "dataPrivacy": {
        "childDirected": true
    },
    "idleSessionTTLInSeconds": 300,
    "botStatus": "Available",
    "creationDateTime": "2024-07-03T18:29:47.859000+00:00",
    "lastUpdatedDateTime": "2024-07-03T18:29:47.859000+00:00",
    "botType": "Bot"
}

However it's not recommended to use root

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html

Important We strongly recommend that you don't use the root user for your everyday tasks and that you follow the root user best practices for your AWS account. Safeguard your root user credentials and use them to perform the tasks that only the root user can perform. For the complete list of tasks that require you to sign in as the root user, see Tasks that require root user credentials.

https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshooting_root-user.html

If you can't complete tasks when you are signed in as the root user for the account, your account might be a member of an organization in AWS Organizations. If so, and your organizational administrator used a service control policy (SCP) to limit the permissions of your account, then all users, including the root user, are affected. For more information, see Service control policies in the AWS Organizations User Guide.

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
  • GHC
    2 years ago

    yeah i was able to get it to work; just had to replace your-bot-id with the actual bot ID of the Lex bot i wanted to work with. so you recommend i have to set up users, roles, and permissions in IAM (not IAM Identity Center)?

  • Oleksii Bebych EXPERT
    2 years ago

    ideally, SSO, because it provides temporary permission and protects you from credentials leak (even if it leaks, it expires soon)

    In SSO you will have user/password/mfa, but you will assume IAM roles in background and your credentials will be short-term

  • Oleksii Bebych EXPERT
    2 years ago

    if you can not use IAM Identity Center, use a separate IAM User, but ensure Least Privilege Principle + regular password rotation and strong password policy + MFA

  • GHC
    2 years ago

    i already set up IAM Identity Center months ago, but not IAM Console; i have user, password, and MFA set up for my business partner although i only have those for myself at the account level

1

Make sure that you are replacing the your-bot-id with the alphanumeric bot id you are trying to use.

Such as:

aws lexv2-models describe-bot --bot-id ONHXXXX885
AWS
EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content