By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

403 Forbidden on describeGlobalClusters in RDS

1

I'm getting access denied errors but only for the describeGlobalClusters RDS action. All other actions like describeDBInstances or describeDBClusters work. This behavior is triggered in the Web Browser when you go to RDS, and select 'DB Instances', the instances are loaded and show (because they're using describeDBInstances and describeDBClusters, which I can validate from network traffic logs), but a read box appears at the top with Unknown error.

This seems to only be an issue in GovCloud regions, both us-gov-east-1 and us-gov-west-1. I've not been able to replicate this in any non-govcloud regions.

What I expect:

aws rds describe-global-clusters
{
    "GlobalClusters": []
}

What I get:

aws rds describe-global-clusters        

An error occurred (AccessDenied) when calling the DescribeGlobalClusters operation: Unknown

I was able to find the CloudTrail event for these specific issues, and have been able to replicate it using multiple SDKs, the CLI, and the AWS Console using a browser. The CloudTrail logging shows me this:

{
...
    "eventSource": "rds.amazonaws.com",
    "eventName": "DescribeGlobalClusters",
    "awsRegion": "us-gov-east-1",
    "userAgent": "AWS Internal",
    "errorCode": "AccessDenied",
    "errorMessage": "An unknown error occurred",
    "requestParameters": {
        "filters": [
            {
                "name": "region",
                "values": [
                    "us-gov-east-1"
                ]
            }
        ]
    },
    "responseElements": null,
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
...
}

I've replicated the behavior with AdministratorAccess, there are no policy restrictions or boundaries, and no Service Control Policies in effect.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS Command Line Interface
Language
English
Tim
asked 7 months ago202 views
2 Answers
0
Accepted Answer

This ended up being an AWS internal issue, which seems to have self-resolved after reaching out to premium support. No changes on my end, and AWS support indicated they'd be providing a root cause. This was isolated to just the one action, so my assumption is it was an accidental regression. Possible someone assumed that action wouldn't be needed in GovCloud because Aurora serverless PostgreSQL isn't supported in those regions? Purely postulation - either way it's functioning now.

Tim
answered 7 months ago
0

Hello ,

This is Sarthak from AWS Premium support.

Having read through your case note, it is my understanding that, you are getting following error while executing the command "aws rds describe-global-clusters ", though your account has full admin access. You are looking for the cause and a fix for it. Please correct me if my above understanding is wrong or if I missed anything.

To begin with, I could see the issue you are facing is in the gov-cloud accounts . I would like to inform you that in order to investigate and escalate this issue further I would need a support case to be logged with AWS Support, Unfortunately We cannot fetch the resources to investigate the issue. I would like to inform you that, AWS takes the privacy and security of your account very seriously.

With that in mind, please reach out to us from the relevant account and we will be more than happy to assist. I would humbly request you to raise a case from the account that is mapped to the gov-cloud-account. I trust you will understand the restrictions around the account wise support.

Thank you.

AWS
Sarthak_K
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content