AppStream instance running Cognito operations fail with "...explicit deny in an identity-based policy"

0

I am trying to to get data from Cognito, e.g., list-user-pools, from a running appstream instance. How do you ensure Cognito - or AWS operations generally - succeed from an appstream instance?

I have added AmazonCognitoPowerUser permissions to the AmazonAppStreamServiceAccess role's permission policies, but this isn't solving the problem.

What am I missing?

An error occurred (AccessDeniedException) when calling the ListUserPools operation: User: arn:aws:sts::620803092955:assumed-role/PhotonInstance/i-0e23ed0216f39eabe is not authorized to perform: cognito-idp:ListUserPools on resource: * with an explicit deny in an identity-based policy

This type of failure seems to be happening for all Cognito functions, e.g., ListUserPools, ListIdentityProviders, ...

已提問 6 個月前檢視次數 242 次
2 個答案
0
已接受的答案

Thankfully it was a simple solution, and oversight on my part.

I hadn't explcitly set my AWS_PROFILE to "appstream_machine_role" as the credential profile.

已回答 6 個月前
0

Hello,

Greetings from AWS Premium Support ! Thank you for contacting us.

I understand that when your AppStream instance runs Cognito operation then it fails with explicit deny error, even though you have already attached "AmazonCognitoPowerUser" permission to the IAM role. Please feel free to correct me in case I have misunderstood your concern.

Explicit deny indicates that there is one or more policy statement(s) attached to the role which explicitly denies the Cognito operations. Even if you attach AmazonCognitoPowerUser policy, as there is one/more policy statement(s) which denies Cognito service access, hence you are getting this error. As a general troubleshooting guide you may refer to this document [1].

That said, to troubleshoot the issue we require details that are non-public information. Please open a support case with AWS using the following link [2]. For opening support case with technical support team, you need to have one of these support plans [3]. With "Basic" plan you can only open ticket with Customer Support. As this issue requires technical assistance specific to your account's resource, which can not be discussed publicly in the re:Post forum due to confidentiality, hence please reach out to our technical support team. We will be more than happy to assist you.

Wish you an AWeSome day ahead and stay safe ! 🙂

--References--

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_access-denied.html

[2] https://console.aws.amazon.com/support/home#/case/create

[3] https://aws.amazon.com/premiumsupport/plans/

AWS
支援工程師
Tarit_G
已回答 6 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南