Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Explicit Deny error when calling StartOutboundChatContact API for WhatsApp in Amazon Connect

0

I am trying to send an outbound WhatsApp message using the StartOutboundChatContact API in Amazon Connect.

API Endpoint: POST https://connect.us-east-1.amazonaws.com/contact/outbound-chat

Region: us-east-1

InstanceId: 84ecefa9-184a-400f-babf-3288d7c8fd04

IAM User: arn:aws:iam::747926693930:user/sali

Request Payload: { "InstanceId": "**********-184a-400f-babf-****", "ContactFlowId": "0094d752-5ac3-4c6d-8355-0c9f817ba159", "ClientToken": "550e8400-e29b-41d4-a716-446655440000", "SourceEndpoint": { "Address": "arn:aws:connect:us-east-1:747926693930:phone-number/a26ad5c5-dfaf-4cc4-8281-652e1ae1f1ae", "Type": "CONNECT_PHONENUMBER_ARN" }, "DestinationEndpoint": { "Address": "+92307**", "Type": "TELEPHONE_NUMBER" }, "SegmentAttributes": { "connect:Subtype": "connect:WhatsApp" }, "ParticipantDetails": { "DisplayName": "Postman Api call" }, "SupportedMessagingContentTypes": ["text/plain"] }

Error response: User: arn:aws:iam::747926693930:user/sali is not authorized to perform: connect:* on resource: * with an explicit deny in a resource-based policy.

I have checked IAM policies attached to the user but cannot find any explicit deny policy.

Questions:

  1. Where could this explicit deny be configured?
  2. Could this be caused by a Service Control Policy or Amazon Connect resource policy?
  3. What permissions are required for StartOutboundChatContact when sending WhatsApp messages?

Any guidance would be appreciated.

Topics
Application IntegrationManagement & GovernanceBusiness ApplicationsMachine Learning & AISecurity, Identity, & Compliance
Tags
Service Control PolicyAmazon ConnectAWS Identity and Access ManagementIAM Policies
Language
English
asked 2 months ago44 views
2 Answers
1

Here is a list of resource policies that blocks similar permissions. https://docs.aws.amazon.com/connect/latest/adminguide/security_iam_resource-level-policy-examples.html . You should have a similar resource policy on Amazon Connect that is blocking the access.

For permissions, you need something like

connect:StartOutboundChatContact
connect:List*
connect:Describe*
EXPERT
answered 2 months ago
1

An explicit dent usually means you have an organisation SCP Denying that action.

I would review your SCPs specifically that action to see if there’s a block/Deny for that action.

Alternatively check permission boundaries also

EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content