By using AWS re:Post, you agree to the Terms of Use

AccessDeniedException when using CLI aws cloud9 update-environment --environment-id $C9_PID --managed-credentials-action DISABLE


I am doing this command from my cloud9 environment. I am logged in as owner of the cloud9 environment. I am using aws-cli/2.7.20

ec2-user:~/environment $ aws cloud9 update-environment  --environment-id $C9_PID --managed-credentials-action DISABLE
An error occurred (AccessDeniedException) when calling the UpdateEnvironment operation: arn:aws:sts::233287386565:assumed-role/cst438-cloud9-containers-role/i-02aef2188aaf75d2e isn't allowed to manage credentials because they're not the environment owner

But I am the environment owner. After receiving this error I do

aws cloud9 describe-environments --environment-id 18f34fb0bdd8451ba008fe7ac2c74093
    "environments": [
            "id": "18f34fb0bdd8451ba008fe7ac2c74093",
            "name": "cst438",
            "description": "",
            "type": "ec2",
            "connectionType": "CONNECT_SSH",
            "arn": "arn:aws:cloud9:us-west-2:233287386565:environment:18f34fb0bdd8451ba008fe7ac2c74093",
            "ownerArn": "arn:aws:iam::233287386565:root",
            "lifecycle": {
                "status": "CREATED"
            "managedCredentialsStatus": "DISABLED_BY_OWNER"

which shows the command did successfully disable the managed credentials status. So why the exception message?


1 Answers

Are you sure you didn't set it manually or set it using a different role? What I'm reading here is that when you use the cli, it's in fact using the rotated temporary credentials of cloud9, which in this case are not the env owner.

You can try disable the credentials here and aws configure as the root and try?

answered 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions