By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

IAM User with AdministratorAccess Cannot Access Redshift Clusters in Query Editor v2

0

Description:

I am unable to view any clusters in Redshift Query Editor v2 despite having been granted AdministratorAccess to my IAM account on AWS. I receive the following error message: "An error occurred fetching clusters and workgroups. User: arn:aws:iam::***:user/hoang is not authorized to perform: tag:GetResources with an explicit deny in a service control policy"

I have verified that my IAM user has the AdministratorAccess policy attached, and I have also checked for any service control policies that might be restricting access. However, I am still unable to access the clusters.! Enter image description here Enter image description here Enter image description here

I would appreciate it if you could investigate this issue and help me resolve it as soon as possible.

Additional Information:

  • IAM User: hoang
  • IAM User ARN: arn:aws:iam::***:user/hoang
  • Error Message: "An error occurred fetching clusters and workgroups. User: arn:aws:iam::***:user/hoang is not authorized to perform: tag:GetResources with an explicit deny in a service control policy" Thank you for your assistance.
Topics
Security, Identity, & ComplianceAnalytics
Tags
AWS Identity and Access ManagementAmazon RedshiftIAM Policies
Language
English
hoang
asked a year ago301 views
1 Answer
0

Hello.

The error message “with an explicit deny in a service control policy” suggests that “tag:GetResources” is restricted by the SCP feature of Organizations, not IAM policy.
Therefore, I recommend that you contact the person who manages your AWS account or the administrator of your organization to check whether "tag:GetResources" etc. are restricted by SCP.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

By the way, what kind of settings are you using in SCP?
Additionally, SCPs also inherit policies set in higher-level OUs, so if the OU of the AWS account in which the error occurs is a child OU, please also check the SCP set in the higher-level OU.

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
profile picture
EXPERT
Osvaldo Marte
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content