By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Lack of "workspaces:RegisterWorkspaceDirectory" permission when registering a Workspaces Directory

0

Hi, I am using Terraform to provision a new Amazon Workspaces. I have an AD Connector created and linked to our internal domain. The next step is to create a Workspaces Directory. Part of creation is to link the Directory to the AD Connector using the Terraform "aws_workspaces_directory" resource. However, I've got the following error when running the Terraform code even though the user below is granted AmazonWorkSpacesAdmin & AWSDirectoryServiceFullAccess permission policies.

Error: error registering WorkSpaces Directory (d-xxxxxxxxxx): AccessDeniedException: User: arn:aws:iam::xxxxx:user/xxxx is not authorized to perform: workspaces:RegisterWorkspaceDirectory on resource: arn:aws:workspaces:us-east-1:xxxxx:directory/d-xxxxxxx because no identity-based policy allows the workspaces:RegisterWorkspaceDirectory action

Is there anybody who knows what permission policy is needed to grant the "workspaces:RegisterWorkspaceDirectory" action? If I read the error correctly, the user is lack of permission to register workspace directory with the AD connector? If so, how do I check who has such permission on the AD Connector?

Thank you.

Topics
End User ComputingSecurity, Identity, & Compliance
Tags
Amazon WorkSpacesAWS Identity and Access ManagementAWS Directory ServiceIAM Policies
Language
English
AWSLearner66
asked 2 years ago713 views
2 Answers
0
Accepted Answer

I can't find that permission in any of the managed policies (including AmazonWorkSpacesAdmin) aside from granting AdministratorAccess, so I'd recommend attaching an inline policy [1] to your IAM user similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "workspaces:RegisterWorkspaceDirectory",
      ],
      "Resource": "*"
    }
  ]
}

You might need to add more permissions (or just workspaces:*) to this if you get any more errors like this.

Looking at the docs, you'll also need to create the workspaces_DefaultRole if you haven't already.

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html

Ed
answered 2 years ago
0

Thanks, Ed! You suggestion works well. I am surprised even AmazonWorkSpacesAdmin permission policy does not include the register action. Appreciate your quick reply!

AWSLearner66
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content