CODEWITHSUNDEEP
amazon-web-servicesclojureamazon-ec2amazon-s3pallet
prayagupadhyay
prayagupadhyay

Reputation: 31222

aws-ec2 - you are not authorized to perform this operation

I am least familiar with aws etc. What am trying to do is upload a small war file to s3 bucket using s3-bash and PalletOps at the moment. For that, I have a clojure config file configured as 

(defpallet :default-service
           :vmfest
           :services {:localhost {:provider "localhost"}
                      :vmfest {:provider                "vmfest"
                               :vbox-comm               :ws
                               :default-network-type    :local
                               :default-memory-size     1024
                               :default-local-interface "vboxnet5"}
                      :aws-ec2 {:provider   "aws-ec2"
                                :identity   "AAAAAAAAAAAAAAAAAAQ"
                                :credential "ATMz1/gerGGFHDh/GFGGFGFGFHFHFHGTUUTUgdgdgdg"}})

On aws, I added IAM policy to that user, 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "iam:*",
      "Resource": "*"
    }
  ]
}

While trying to lein pallet up -P aws-ec2 the cluster with above config I get following error, 

Caused by: org.jclouds.aws.AWSResponseException: request POST
  https://ec2.us-east-1.amazonaws.com/ HTTP/1.1 failed with code 403,
        error: AWSError{requestId='c20a65f1-64a1-4d7f-be27-690d495ffd09',
        requestToken='null', code='UnauthorizedOperation', message='You are not
        authorized to perform this operation.', context='{Response=, Errors=}'}
    at org.jclouds.aws.handlers.ParseAWSErrorFromXmlContent.handleError(ParseAWSErrorFromXmlContent.java:77)
    ... 77 more
Subprocess failed

I tried simulation at https://policysim.aws.amazon.com/home/index.jsp?# as well, but failing even for an action "ListBucket" with error Implicitly denied (no matching statements found)..

I may be missing to configure on aws ec2 but couldn't move further.

Upvotes: 3

Views: 7229

Answers (1)

Arthur Ulfeldt
Arthur Ulfeldt

Reputation: 91554

I think you may need an s3* entry in the IAM policy:

Here is an example of a policy that allows uploading only to a specific folder:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:*"
      ],
      "Sid": "Stmt13NNNNNNNN000",
      "Resource": [
        "arn:aws:s3:::bucket-name/specific-folder/*"
      ],
      "Effect": "Allow"
    },
{
      "Action": [
        "s3:*"
      ],
      "Sid": "StmtNNNNNNNNNNN",
      "Resource": [
        "arn:aws:s3:::bucket-name"
      ],
       "Effect": "Allow"
     }
   ] 
 }

It's also worth testing with a crediential in the "power user" pre-built policy (if you can) to rule out such permissions issues.

Upvotes: 0

Related Questions