{"id":2628,"date":"2023-04-25T20:17:21","date_gmt":"2023-04-25T14:47:21","guid":{"rendered":"https:\/\/cloudwithease.com\/?p=2628"},"modified":"2024-01-24T15:50:18","modified_gmt":"2024-01-24T10:20:18","slug":"fixing-5-common-aws-iam-errors","status":"publish","type":"post","link":"https:\/\/cloudwithease.com\/fixing-5-common-aws-iam-errors\/","title":{"rendered":"Fixing 5 Common AWS IAM Errors"},"content":{"rendered":"\n<div class=\"wp-block-rank-math-toc-block has-background\" style=\"background-color:#c7f0ee\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#five-common-aws-iam-errors\">Five common AWS IAM errors<\/a><ul><li><a href=\"#1-access-denied-exception-i-cant-assume-a-role\">1. AccessDeniedException &#8211; I can\u2019t assume a role<\/a><ul><li><a href=\"#error\">Error<\/a><\/li><li><a href=\"#cause\">Cause\u00a0<\/a><\/li><li><a href=\"#how-to-fix\">How to fix?<\/a><\/li><\/ul><\/li><li><a href=\"#2-access-denied-exception-i-cant-call-an-aws-api-operation\">2. AccessDeniedException &#8211; I can\u2019t call an AWS API Operation <\/a><ul><li><a href=\"#error-1\">Error<\/a><\/li><li><a href=\"#cause-2\">Cause\u00a0<\/a><\/li><li><a href=\"#how-to-fix-3\">How to fix?<\/a><\/li><\/ul><\/li><li><a href=\"#3-unauthorized-operation-i-am-not-authorized-to-perform-an-operation\">3. UnauthorizedOperation &#8211; I am not authorized to Perform an Operation<\/a><ul><li><a href=\"#error-4\">Error<\/a><\/li><li><a href=\"#cause-5\">Cause<\/a><\/li><li><a href=\"#how-to-fix-6\">How to fix?<\/a><\/li><\/ul><\/li><li><a href=\"#4-describe-instances\">4. DescribeInstances<\/a><ul><li><a href=\"#error-7\">Error<\/a><\/li><li><a href=\"#cause-8\">Cause<\/a><\/li><li><a href=\"#how-to-fix-9\">How to fix?<\/a><\/li><\/ul><\/li><li><a href=\"#5-the-policy-must-contain-a-valid-version-string\">5. The policy must contain a valid version string <\/a><ul><li><a href=\"#error-10\">Error<\/a><\/li><li><a href=\"#cause-11\">Cause<\/a><\/li><li><a href=\"#how-to-fix-12\">How to fix?<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<p>Identity and access management (IAM) is a foundation service for any cloud provider to provide security in the cloud. It allows to manage access to services, resources, and applications. It is a core service but at times it does not perform the way it is supposed to be and while using it we may encounter bugs\/errors.&nbsp;<\/p><div id=\"cloud-4181771033\" class=\"cloud-content cloud-entity-placement\"><script async src=\"\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-1375203873676133\" crossorigin=\"anonymous\"><\/script><ins class=\"adsbygoogle\" style=\"display:block; text-align:center;\" data-ad-client=\"ca-pub-1375203873676133\" \ndata-ad-slot=\"8195412531\" \ndata-ad-layout=\"in-article\"\ndata-ad-format=\"fluid\"><\/ins>\n<script> \n(adsbygoogle = window.adsbygoogle || []).push({}); \n<\/script>\n<\/div>\n\n\n\n<p>In today\u2019s topic we will look at the top five common AWS IAM errors , what caused them? How to fix?<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#f45502\"><strong>Related: <\/strong><a href=\"https:\/\/cloudwithease.com\/comparing-iam-services\/\" target=\"_blank\" rel=\"noreferrer noopener\">Comparing IAM Services in AWS, Azure &amp; Google Cloud<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"five-common-aws-iam-errors\"><strong>Five common AWS IAM errors<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"1-access-denied-exception-i-cant-assume-a-role\"><strong>1. AccessDeniedException &#8211; I can\u2019t assume a role<\/strong><\/h3>\n\n\n\n<p>Purpose of <a href=\"https:\/\/cloudwithease.com\/aws-iam-identity-and-access-management\/\" target=\"_blank\" rel=\"noreferrer noopener\">IAM role is delegation of AWS resources<\/a> across different AWS accounts in your ownership. Like you want to share one account with users in different accounts and to make this possible it is required to establish a relationship of trust between the trusting account and your other AWS trusted accounts. Let&#8217;s take a case of cross account access where you want users in development account access to resources in production account. If permissions are not set correctly the below error will be encountered.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"error\"><strong><em>Error<\/em><\/strong><\/h4>\n\n\n\n<p class=\"has-text-color has-background\" style=\"color:#01010e;background-color:#c1eee7\"><strong><em>An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam:::user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::user:role\/role<\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"cause\"><strong>Cause&nbsp;<\/strong><\/h4>\n\n\n\n<p>There are two possible causes for this AccessDeined error: one the user in the development account doesn\u2019t have permission to call sts:AssumeRole or second trust relationship in the production account is not configured correctly.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-to-fix\"><strong>How to fix?<\/strong><\/h4>\n\n\n\n<p>Verify the IAM policy attached to user in development account grants right to <strong><em>sts:AssumeRole <\/em><\/strong>action for the role in production account or you must explicitly grant permission using policy as under:<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&#8220;Statement&#8221;: [{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: [&#8220;sts:AssumeRole&#8221;],<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;arn:aws:iam::user:role\/role&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>&nbsp;}]<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2a16f3\"><strong><em>}<\/em><\/strong><\/p>\n\n\n\n<p>Next step is to verify the development account from which AssumeRole is called is setup in production account as trusted entity for role the user is trying to assume.&nbsp;<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&#8220;Version&#8221;: &#8220;2023-03-25&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&#8220;Statement&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Principal&#8221;: {<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;AWS&#8221;: &#8220;arn:aws:iam::user:user-name&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: &#8220;sts:AssumeRole&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Condition&#8221;: {}<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;&nbsp;&nbsp;}<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>&nbsp;]<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1a0df4\"><strong><em>}<\/em><\/strong><\/p>\n\n\n\n<p>On successful assumption of role API returns a set of temporary security credentials to be used to access production accounts with permissions specified in file.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"2-access-denied-exception-i-cant-call-an-aws-api-operation\"><strong>2. AccessDeniedException<\/strong> <strong>&#8211; I can\u2019t call an AWS API Operation <\/strong><\/h3>\n\n\n\n<p>While providing access to resources in an AWS account the principle of least privileges shall apply. Least privileges grant only the minimum level of access required to perform a necessary task. Let&#8217;s take an example to explain it further , a user is trying to call the list bucket operation on an <a href=\"https:\/\/ipwithease.com\/aws-cloud-front-setup-with-s3-bucket-as-origin\/\" target=\"_blank\" rel=\"noreferrer noopener\">Amazon S3 bucket<\/a> using CLI and encounters the below error.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"error-1\"><strong><em>Error<\/em><\/strong><\/h4>\n\n\n\n<p class=\"has-background\" style=\"background-color:#c3f7ee\"><strong><em>An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied<\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"cause-2\"><strong>Cause&nbsp;<\/strong><\/h4>\n\n\n\n<p>The AccessDeined error occurred because the user attempting to perform this action has not been explicitly granted access to a list of bucket contents.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-to-fix-3\"><strong>How to fix?<\/strong><\/h4>\n\n\n\n<p>Attach an inline policy like below<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Statement&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Sid&#8221;: &#8220;VisualEditor0&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:ListAllMyBuckets&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:ListBucket&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:HeadBucket&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;*&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>&nbsp;&nbsp;&nbsp;]<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0e11f4\"><strong><em>}<\/em><\/strong><\/p>\n\n\n\n<p>To have an additional layer of security instead of using wild characters we can assign name objects in the resource element to mention which object or objects policy covers. In below statement we have used allow access to a specific bucket using the resource \u2013 Amazon resource name (ARN) and the wildcard *.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Statement&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Sid&#8221;: &#8220;VisualEditor0&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:ListAllMyBuckets&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:ListBucket&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;s3:HeadBucket&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;arn:aws:s3:::bucket_name\/*&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>&nbsp;&nbsp;&nbsp;]<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0813f9\"><strong><em>}<\/em><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"3-unauthorized-operation-i-am-not-authorized-to-perform-an-operation\"><strong>3. UnauthorizedOperation &#8211; I am not authorized to Perform an Operation<\/strong><\/h3>\n\n\n\n<p>This error comes when you are not authorized to perform certain operations. For example, you want to list EC2 instances in an account using <strong><em>describe-instance<\/em><\/strong> action.&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"error-4\"><strong><em>Error<\/em><\/strong><\/h4>\n\n\n\n<p class=\"has-background\" style=\"background-color:#c1eee7\"><strong><em>An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.<\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"cause-5\"><strong>Cause<\/strong><\/h4>\n\n\n\n<p>The<strong> <\/strong><strong><em>UnauthorizedOperation <\/em><\/strong>occurs because either user or role trying to perform that operation doesn\u2019t have permission to describe (or list) EC2 instances&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-to-fix-6\"><strong>How to fix?<\/strong><\/h4>\n\n\n\n<p>Attach an inline policy as below<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&#8220;Statement&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Sid&#8221;: &#8220;VisualEditor0&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: [<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;ec2:DescribeInstances&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;*&#8221;<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>&nbsp;&nbsp;&nbsp;]<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#1205ed\"><strong><em>}<\/em><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"4-describe-instances\"><strong>4. DescribeInstances<\/strong><\/h3>\n\n\n\n<p>It can\u2019t be defined with an ARN as some services do not allow to specify actions for individual resources and require the use of wildcards in resource elements.&nbsp;<\/p>\n\n\n\n<p>One service is Not authorized to Perform an Action on Another Service \u2013 while managing AWS resources we often need to grant one AWS service access to another service to perform tasks. For example, you want to query a <a href=\"https:\/\/cloudwithease.com\/aws-dynamodb\/\" target=\"_blank\" rel=\"noreferrer noopener\">DynamoDB <\/a>table from Lambda function. But the Lambda code snippet to query the USERS table gives below error<\/p>\n\n\n\n<p><strong>Query<\/strong><\/p>\n\n\n\n<p><em>table = boto3.resource(&#8216;dynamodb&#8217;).Table(&#8216;USERS&#8217;)<\/em><\/p>\n\n\n\n<p><em>response = table.query(KeyConditionExpression=Key(&#8216;USER_ID&#8217;).eq(userid))<\/em><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"error-7\"><strong><em>Error<\/em><\/strong><\/h4>\n\n\n\n<p class=\"has-background\" style=\"background-color:#c1eee7\"><strong><em>arn:aws:sts::user:assumed-role\/role\/function is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:region:account:table\/USERS<\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"cause-8\"><strong>Cause<\/strong><\/h4>\n\n\n\n<p>The error is happened because the Lambda execution role does not have permission to query USERS DynamoDB table&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-to-fix-9\"><strong>How to fix?<\/strong><\/h4>\n\n\n\n<p>Modify the Lambda execution role by attaching inline policy as below<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>{<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&#8220;Statement&#8221;: [<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Sid&#8221;: &#8220;VisualEditor0&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: &#8220;dynamodb:Query&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;arn:aws:dynamodb:region:account:table\/USERS&#8221;<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>&nbsp;&nbsp;&nbsp;]<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f0\"><strong>}<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"5-the-policy-must-contain-a-valid-version-string\"><strong>5. The policy must contain a valid version string <\/strong><\/h3>\n\n\n\n<p>When creating or modifying a policy an error might be encountered which states policy should have valid Version string. This version policy element specifies language syntax rules which should be used for policy processing. For example using the current date for the version policy element; which is limited to few select values could cause error.&nbsp;<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>{<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&#8220;Statement&#8221;: [<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Sid&#8221;: &#8220;VisualEditor0&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Action&#8221;: [<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;ec2:DescribeInstances&#8221;<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#8220;Resource&#8221;: &#8220;*&#8221;<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>&nbsp;&nbsp;&nbsp;]<\/strong><\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#0d08f2\"><strong>}<\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"error-10\"><strong><em>Error<\/em><\/strong><\/h4>\n\n\n\n<p class=\"has-background\" style=\"background-color:#c1eee7\"><strong><em>This policy contains the following error: The policy must contain a valid version string<\/em><\/strong><\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"cause-11\"><strong>Cause<\/strong><\/h4>\n\n\n\n<p>The error occurs because version is limited to selected values&nbsp;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"how-to-fix-12\"><strong>How to fix?<\/strong><\/h4>\n\n\n\n<p>The solution is to use one of the valid Version element values. Currently IAM supports following Version element values only:<\/p>\n\n\n\n<p><em>2012-10-17 \u2013 Current version of policy language<\/em><\/p>\n\n\n\n<p><em>2008-10-17 \u2013 Older version of policy language which does not support new features&nbsp;<\/em><\/p>\n\n\n\n<p>If Version element is not included; default is 2008-10-17&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Identity and access management (IAM) is a foundation service for any cloud provider to provide security in the cloud. It &#8230; <a title=\"Fixing 5 Common AWS IAM Errors\" class=\"read-more\" href=\"https:\/\/cloudwithease.com\/fixing-5-common-aws-iam-errors\/\" aria-label=\"Read more about Fixing 5 Common AWS IAM Errors\">Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":2633,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pmpro_default_level":"","footnotes":""},"categories":[18,38,45],"tags":[60,61],"class_list":["post-2628","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-cloud","category-cloud-technologies","category-tools-services","tag-aws","tag-toolsservices","pmpro-has-access"],"_links":{"self":[{"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/posts\/2628","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/comments?post=2628"}],"version-history":[{"count":6,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/posts\/2628\/revisions"}],"predecessor-version":[{"id":3695,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/posts\/2628\/revisions\/3695"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/media\/2633"}],"wp:attachment":[{"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/media?parent=2628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/categories?post=2628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudwithease.com\/wp-json\/wp\/v2\/tags?post=2628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}