Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Glacier: AccessDeniedException

0

Trying to delete multiple unlocked vaults created last year. I was able to do so for most of them, but a few are left that cannot be accessed by any software or the CLI. When I try to get the inventory using the CLI, using the user who created the vaults or the root user, I get the following:

aws glacier initiate-job --vault-name <NAME> --account-id <ID> --job-parameters '{"Type": "inventory-retrieval"}'

An error occurred (AccessDeniedException) when calling the InitiateJob operation: User: arn:aws:iam::<ID>:<user> is not authorized to perform: glacier:InitiateJob on resource: arn:aws:glacier:<LOC>:<ID>:vaults/<NAME>

Topics
StorageSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon S3 Glacier
Language
English
asked 3 years ago855 views
2 Answers
1
Accepted Answer

The issue was not related to permissions, the error message "AccessDeniedException" is misleading. I tried to access an in-existent vault, which resulted in the same error message.

The problem was based on the following wrong account-id format, which I copied directly from the AWS Console. It needs to be provided without the dashes:

aws glacier initiate-job --vault-name <NAME> --account-id 1234-1234-1234 --job-parameters '{"Type": "inventory-retrieval"}'
answered 3 years ago
EXPERT
reviewed a year ago
1

Hello ,

Thank you for posting your question on the AWS Repost, my name is Rochak and it will be a pleasure assisting you with this today.

I understand you are trying to delete multiple unlocked vaults and you were able to delete most of them but you are not able to delete few and you are getting error while trying to delete them even as a user who created the vault and also as a root user. Please, let me know if my understanding is incorrect.

Please note that there are some instances where root user or admin user do get access denied and there a number of reasons that you might receive an access denied error on your root user. This includes:

• A service control policy (SCP) is restricting your access to a service • A resource-based policy is restricting your access to a resource • A permissions boundary is in limiting the actions your entity can perform • A session policy is in place and is causing an authorization issue • A VPC endpoint policy is restricting access to your IAM entities

Please follow the troubleshooting steps provided here [1] depending on your use case and the error that you receive.

I am also adding [2] for your references which provides detailed steps as well as video tutorial on troubleshooting access denied or unauthorized operation errors with an IAM policy.

I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "accepted".

Kind regards, Rochak from AWS

References:

[1] Troubleshoot access denied issues for a root user or an admin user https://aws.amazon.com/premiumsupport/knowledge-center/iam-access-denied-root-user/

[2] Troubleshoot access denied or unauthorized operation errors with an IAM policy https://aws.amazon.com/premiumsupport/knowledge-center/troubleshoot-iam-policy-issues/#

AWS
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content