Reputation: 1128
AWS CLI Client.UnauthorizedOperation even when keys are set
I am trying to setup AWS CLI tools and was following instructions at http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/set-up-ec2-cli-linux.html#setting_up_ec2_command_linux
However, after following all the steps and setting up my AWS_ACCESS_KEY and AWS_SECRET_KEY, I get
$ ec2-describe-regions
Client.UnauthorizedOperation: You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: 55f02cc4-2e9f-4a0a-8b55-46bcc1973f50)
I then tried regenerating new credentials, but still getting the same error. I couldn't seem to find information about anyone else having this issue. I tried passing the keys using -O and -W, but that doesn't work either.
Any idea what I might be doing wrong?
Upvotes: 37
Views: 47349
Answers (4)
Reputation: 2701
With multi-factor authentication (MFA) policies now becoming increasingly adopted and applied, I found my "direct" use of security key + secret being blocked as Unauthorized because of an explicit Deny permission set in another attached policy.
{
"Sid": "BlockAnyAccessOtherThanAboveUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
In other words, nothing except IAM and other, previously specified actions would be allowed without MFA being set first.
Running the STS get-session-token with the ARN of any previously-registered MFA device generates temporary (12 hour) credentials.
$ aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}
These now become the Access Key and Secret for subsequent CLI calls.
export AWS_ACCESS_KEY_ID=example-access-key-as-in-previous-output
export AWS_SECRET_ACCESS_KEY=example-secret-access-key-as-in-previous-output
export AWS_SESSION_TOKEN=example-session-token-as-in-previous-output
Source: https://repost.aws/knowledge-center/authenticate-mfa-cli
Upvotes: 0
Reputation: 76709
Some policies have to be assigned to IAM users and groups instead of IAM roles. We were assigning policies like AdministratorAccess or AmazonEC2FullAccess to an IAM role created for federation, and AWS CLI commands failed with the same response.
Assigning policies to IAM users and groups ensured that the policies worked. We assigned policies like the AmazonEC2FullAccess policy to admins. For listing regions and instances, as is required in describe-regions command, policies like AmazonEC2ReadOnlyAccess is sufficient as they contain the necessary statements to allow restricted actions on the required resources.
Upvotes: 3
Reputation: 35884
I am on free tier and found it easier to grant administrator policy to single user, which supports access from all of the amazon command line tools. you can downgrade the policy at a later time if you feel the policy is too lenient.
- visit https://console.aws.amazon.com/iam/home
- select
policiesin left hand menu - create administrator policy from amazons existing policies
- select administrator checkbox and attach to your user
Assuming you have set up your access keys, you should now have full command line access for given user.
before
› ec2-describe-regions
Client.UnauthorizedOperation: You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: 3398ed18-1caf-4c04-865b-a54f796c653c)
after
› ec2-describe-regions
REGION eu-central-1 ec2.eu-central-1.amazonaws.com
REGION sa-east-1 ec2.sa-east-1.amazonaws.com
REGION ap-northeast-1 ec2.ap-northeast-1.amazonaws.com
REGION eu-west-1 ec2.eu-west-1.amazonaws.com
REGION us-east-1 ec2.us-east-1.amazonaws.com
REGION us-west-1 ec2.us-west-1.amazonaws.com
REGION us-west-2 ec2.us-west-2.amazonaws.com
REGION ap-southeast-2 ec2.ap-southeast-2.amazonaws.com
REGION ap-southeast-1 ec2.ap-southeast-1.amazonaws.com
amazons UX takes some time before you get used to it
Upvotes: 38
Reputation: 1128
It is very unfortunate that the basic guide on using EC2 CLI tools doesn't even mention this, but looks like my issue was that I didn't have the correct policy setup under my IAM account.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}]
}
See this link for more details: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html
Upvotes: 27
Related Questions
- aws cli: invalid security token
- aws cli get error "The security token included in the request is invalid"
- passing access and secret key aws cli
- Access denied when using aws cli but allowed in web console
- AWS CLI not accepting Access Key
- Unable to describe my keys from aws cli to aws accounts
- Authentication for AWS CLI
- Using AWS CLI - Bad Credential Error
- AWS CLI does not use credentials set with environment variables
- Why does AWS CLI need access/secret key?