Changing from Resource * to Explicit Access Results in An error occurred (AccessDeniedException)
While attempting to migrate all occurrences of "Resource": "*" there is one IAM Policy that does not work as expected. It is resulting in an access denied error and there is no clear reason why.
[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeReplicationInstances operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/xxx-xxx-data-env-stop-blu-dev-us-east-1-rolef2288a3ea069e71d/xxx-data-env-stop-blu-dev is not authorized to perform: dms:DescribeReplicationInstances because no identity-based policy allows the dms:DescribeReplicationInstances action
The error occurs in a Lambda that stops/starts dms and rds instances on a given schedule.
Curently, there are only three Replication Instances and all of them are listed in the Resource section of the policy.
Here is the Resource Section of the Lambda Configuration showing the 3 DMS instances as resources for the DescribeReplicationAccess Action.
Here is the pertinent section of the Lambda's Role Document: (There is no access denied error when the * wildcard is used here for Resource)
Here are the three DMS Replication Instances.
Can anyone point out what is missing. Does DescribeReplicationInstances require a wildcard in order to work?
- 最新
- 投票最多
- 评论最多
Hey Ross, DescribeReplicationInstances action does not support resource-level permissions. Which means, there needs to be a "*" in resources field in IAM policy.
Please refer below document and search for 'DescribeReplicationInstances' https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement.
Solved. Thanks for the quick reply and the link.