fixing issues

avatar
Created by
PositiveRat85680

Cards (55)

  • I can't assume a role
    • To allow users to assume the current role again within a role session, specify the role ARN or AWS account ARN as a principal in the role trust policy. AWS services that provide compute resources such as Amazon EC2, Amazon ECS, Amazon EKS, and Lambda provide temporary credentials and automatically update these credentials. This ensures that you always have a valid set of credentials. For these services, it's not necessary to assume the current role again to obtain temporary credentials.
  • I can't assume a role
    Check the following:
    • AWS services that provide compute resources such as Amazon EC2, Amazon ECS, Amazon EKS, and Lambda provide temporary credentials and automatically update these credentials. This ensures that you always have a valid set of credentials. For these services, it's not necessary to assume the current role again to obtain temporary credentials. However, if you intend to pass session tags or a session policy, you need to assume the current role again. 
  • I can't assume a role
    • When you assume a role using the AWS Management Console, make sure to use the exact name of your role. Role names are case sensitive when you assume a role.
    • When you assume a role using AWS STS API or AWS CLI, make sure to use the exact name of your role in the ARN. Role names are case sensitive when you assume a role.
    • I can't assume a roleVerify that your IAM policy grants you permission to call sts:AssumeRole for the role that you want to assume. The Action element of your IAM policy must allow you to call the AssumeRole action. In addition, the Resource element of your IAM policy must specify the role that you want to assume. For example, the Resource element can specify a role by its Amazon Resource Name (ARN) or by a wildcard (*). For example, at least one policy applicable to you must grant permissions similar to the following:
  • I can't assume a role
    • Verify that your IAM identity is tagged with any tags that the IAM policy requires. For example, in the following policy permissions, the Condition element requires that you, as the principal requesting to assume the role, must have a specific tag. You must be tagged with department = HR or department = CS. Otherwise, you cannot assume the role.
  • I can't assume a role
    • Verify that you meet all the conditions that are specified in the role's trust policy. A Condition can specify an expiration date, an external ID, or that a request must come only from specific IP addresses. Consider the following example: If the current date is any time after the specified date, then the policy never matches and cannot grant you the permission to assume the role.
  • I Cant Assume an IAM Role
    • Verify that the AWS account from which you are calling AssumeRole is a trusted entity for the role that you are assuming. Trusted entities are defined as a Principal in a role's trust policy. The following example is a trust policy that is attached to the role that you want to assume. In this example, the account ID with the IAM user that you signed in with must be 123456789012. If your account number is not listed in the Principal element of the role's trust policy, then you cannot assume the role.
  • I can't edit or delete a role in my AWS account
    • You cannot delete or edit the permissions for a service-linked role in IAM. These roles include predefined trusts and permissions that are required by the service in order to perform actions on your behalf. You can use the IAM console, AWS CLI, or API to edit only the description of a service-linked role. You can view the service-linked roles in your account by going to the IAM Roles page in the console. Service-linked roles appear with (Service-linked role) in the Trusted entities column of the table
  • You can manage and delete these roles only through the linked service, if that service supports the action. Be careful when modifying or deleting a service-linked role because doing so could remove permissions that the service needs to access AWS resources.
  • I'm not authorized to perform: iam:PassRole
    • When you create a service-linked role, you must have permission to pass that role to the service. Some services automatically create a service-linked role in your account when you perform an action in that service. For example, Amazon EC2 Auto Scaling creates the AWSServiceRoleForAutoScaling service-linked role for you the first time that you create an Auto Scaling group. If you try to create an Auto Scaling group without the PassRole permission, you receive the following error:
  • Why can't I assume a role with a 12-hour session? (AWS CLI, AWS API)
    • When you use the AWS STS AssumeRole* API or assume-role* CLI operations to assume a role, you can specify a value for the DurationSeconds parameter. You can specify a value from 900 seconds (15 minutes) up to the Maximum session duration setting for the role. If you specify a value higher than this setting, the operation fails. This setting can have a maximum value of 12 hours. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails
  • If you use role chaining (using a role to assume a second role), your session is limited to a maximum of one hour. If you then use the DurationSeconds parameter to provide a value greater than one hour, the operation fails.
  • I receive an error when I try to switch roles in the IAM consoleThe information you enter on the Switch Role page must match the information for the role.
    • Account ID or alias – The AWS account ID is a 12-digit number. Your account might have an alias, which is a friendly identifier such as your company name that can be used instead of your AWS account ID. You can use either the account ID or the alias in this field.
    • Role name – Role names are case sensitive. The account ID and role name must match what is configured for the role.
  • My role has a policy that allows me to perform an action, but I get "access denied": Your role session might be limited by session policies. When you request temporary security credentials programmatically using AWS STS, you can optionally pass inline or managed session policies. Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary credential session for a role. You can pass a single JSON inline session policy document using the Policy parameter. You can use the PolicyArns parameter to specify up to 10 managed session policies.
  • My role has a policy that allows me to perform an action, but I get "access denied"
    • The resulting session's permissions are the intersection of the role's identity-based policies and the session policies. Alternatively, if your administrator or a custom program provides you with temporary credentials, they might have included a session policy to limit your access.
  • I lost my access keys:
    Access keys consist of two parts:
    • The access key identifier. This is not a secret, and can be seen in the IAM console wherever access keys are listed, such as on the user summary page.
    • The secret access key. This is provided when you initially create the access key pair. Just like a password, it cannot be retrieved later. If you lost your secret access key, then you must create a new access key pair. If you already have the maximum number of access keys, you must delete an existing pair before you can create another.
  • Policy variables aren't working
    • Verify that all policies that include variables include the following version number in the policy: "Version": "2012-10-17". Without the correct version number, the variables are not replaced during evaluation. Instead, the variables are evaluated literally. Any policies that don't include variables will still work if you include the latest version number.
  • Policy variables aren't working
    • A Version policy element is different from a policy version. The Version policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you make changes to a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. To learn more about the Version policy element see IAM JSON policy elements: Version.
    • Verify that your policy variables are in the right case.
  • Changes that I make are not always immediately visible: As a service that is accessed through computers in data centers around the world, IAM uses a distributed computing model called eventual consistency. Any change that you make in IAM (or other AWS services), including tags used in attribute-based access control (ABAC), takes time to become visible from all possible endpoints.
  • I am not authorized to perform: iam:DeleteVirtualMFADevice:
    • This could happen if someone previously began assigning a virtual MFA device to a user in the IAM console and then cancelled the process. This creates a virtual MFA device for the user in IAM but never assigns it to the user. You must delete the existing virtual MFA device before you can create a new virtual MFA device with the same device name.
    • To fix this issue, an administrator should not edit policy permissions. Instead, the administrator must use the AWS CLI or AWS API to delete the existing but unassigned virtual MFA device.
  • I get "access denied" when I make a request to an AWS service
    • Check if the error message includes the type of policy responsible for denying access. For example, if the error mentions that access is denied due to a Service Control Policy (SCP), then you can focus on troubleshooting SCP issues. 
    • Verify that you have the identity-based policy permission to call the action and resource that you have requested. If any conditions are set, you must also meet those conditions when you send the request.
  • I get "access denied" when I make a request to an AWS service:
    • Resource Policies: Verify that the policy specifies you as a principal and grants you access. If you make a request to a service within your account, either your identity-based policies or the resource-based policies can grant you permission. If you make a request to a service in a different account, then both your identity-based policies and the resource-based policies must grant you permission.
  • I get "access denied" when I make a request to an AWS service
    • If your policy includes a condition with a key–value pair, review it carefully. Examples include the aws:RequestTag/tag-key global condition key, the AWS KMS kms:EncryptionContext:encryption_context_key, and the ResourceTag/tag-key condition key supported by multiple services. Make sure that the key name does not match multiple results. Because condition key names are not case sensitive, a condition that checks for a key named foo matches foo, Foo, or FOO.
  • I get "access denied" when I make a request to an AWS service
    • If you have a permissions boundary, verify that the policy that is used for the permissions boundary allows your request. If your identity-based policies allow the request, but your permissions boundary does not, then the request is denied. A permissions boundary controls the maximum permissions that an IAM principal (user or role) can have. Resource-based policies are not limited by permissions boundaries. Permissions boundaries are not common.
  • I get "access denied" when I make a request to an AWS service
    • If you are signing requests manually (without using the AWS SDKs), verify that you have correctly signed the request.
  • I get "access denied" when I make a request with temporary security credentials
    • First, make sure that you are not denied access for a reason that is unrelated to your temporary credentials.
    • Verify that the service accepts temporary security credentials.
    • Verify that your requests are being signed correctly and that the request is well-formed.
    • Verify that your temporary security credentials haven't expired.
  • I get "access denied" when I make a request with temporary security credentials
    • Verify that the IAM user or role has the correct permissions. Permissions for temporary security credentials are derived from an IAM user or role. As a result, the permissions are limited to those that are granted to the role whose temporary credentials you have assumed.
    • If you assumed a role, your role session might be limited by session policies
  • I get "access denied" when I make a request with temporary security credentials
    • If you are a federated user, your session might be limited by session policies. You become a federated user by signing in to AWS as an IAM user and then requesting a federation token.
    • If you are accessing a resource that has a resource-based policy by using a role, verify that the policy grants permissions to the role.
  • Attaching or detaching a policy in an IAM account
    • Some AWS managed policies are linked to a service. These policies are used only with a service-linked role for that service. In the IAM console, when you view the Policy details page for a policy, the page includes a banner to indicate that the policy is linked to a service. You cannot attach this policy to a user, group, or role within IAM. When you create a service-linked role for the service, this policy is automatically attached to your new role. Because the policy is required, you cannot detach the policy from the service-linked role.
  • When attempting to launch an instance, I don't see the role I expected to see in the Amazon EC2 console IAM Role list:
    • If you are signed in as an IAM user, verify that you have permission to call ListInstanceProfiles.
    • If you created a role by using the IAM CLI or API, verify that you created an instance profile and added the role to that instance profile. Also, if you name your role and instance profile differently, you won't see the correct role name in the list of IAM roles in the Amazon EC2 console.
    • If you use the IAM console to create roles, you don't need to work with instance profiles. For each role that you create in the IAM console, an instance profile is created with the same name as the role, and the role is automatically added to that instance profile. An instance profile can contain only one IAM role, and that limit cannot be increased.
  • The credentials on my instance are for the wrong role:
    • The role in the instance profile might have been replaced recently. If so, your application will need to wait for the next automatically scheduled credential rotation before credentials for your role become available.
    • To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.
  • When I attempt to call the AddRoleToInstanceProfile, I get an AccessDenied error. If you are making requests as an IAM user, verify that you have the following permissions:
    • iam:AddRoleToInstanceProfile with the resource matching the instance profile ARN (for example, arn:aws:iam::999999999999:instance-profile/ExampleInstanceProfile).
  • Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied errorLaunch an instance without an instance profile. This will help ensure that the problem is limited to IAM roles for Amazon EC2 instances.
    • If you are making requests as an IAM user, verify that you have the following permissions:
    • ec2:RunInstances with a wildcard resource ("*")
    • iam:PassRole with the resource matching the role ARN (for example, arn:aws:iam::999999999999:role/ExampleRoleName
  • Amazon EC2: When I attempt to launch an instance with a role, I get an AccessDenied error
    • Call the IAM GetInstanceProfile action to ensure that you are using a valid instance profile name or a valid instance profile ARN.
    • Call the IAM GetInstanceProfile action to ensure that the instance profile has a role. Empty instance profiles will fail with an AccessDenied error.
  • I can't access the temporary security credentials on my EC2 instanceIf
    • To access temporary security credentials on your EC2 instance, you must first use the IAM console to create a role. Then you launch an EC2 instance that uses that role and examine the running instance.
  • I can't access the temporary security credentials on my EC2 instancecheck the following:
    • Can you access another part of the Instance Metadata Service (IMDS)? If not, check that you have no firewall rules blocking access to requests to the IMDS.
    • Does the iam subtree of the IMDS exist? If not, verify that your instance has an IAM instance profile associated with it by calling the EC2 DescribeInstances API operation or using the aws ec2 describe-instances CLI command.
    • How do I grant anonymous access to an Amazon S3 bucket?You use an Amazon S3 bucket policy that specifies a wildcard (*) in the principal element, which means anyone can access the bucket. With anonymous access, anyone (including users without an AWS account) will be able to access the bucket.
    • In some cases, you might have an IAM user with full access to IAM and Amazon S3. If the IAM user assigns a bucket policy to an Amazon S3 bucket and doesn't specify the AWS account root user as a principal, the root user is denied access to that bucket. However, as the root user, you can still access the bucket. To do that, modify the bucket policy to allow root user access from the Amazon S3 console or the AWS CLI.
  • Error: Your request included an invalid SAML response. To logout, click here: This error can occur when the SAML response from the identity provider does not include an attribute with the Name set to https://aws.amazon.com/SAML/Attributes/Role. The attribute must contain one or more AttributeValue elements, each containing a comma-separated pair of strings:
    • The ARN of a role that the user can be mapped to
    • The ARN of the SAML provider