Reputation: 630
Iam user not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny
I am trying to create a Firehose delivery stream from an EC2 micro instance.
AWS CLI is configured with the access keys of an IAM user ABC. This user has AWS policies attached with full access to firehose (policy copied below).
Still the stream creation fails with the error AccessDeniedException: iam user ABC not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"firehose:*",
"firehose:CreateDeliveryStream"
],
"Resource": [
"arn:aws:firehose:us-east-1:<ACC_ID>:deliverystream/*",
"arn:aws:firehose:us-east-1:<ACC_ID>:*",
"arn:aws:firehose:*:<ACC_ID>:*",
"arn:aws:firehose:*:<ACC_ID>:deliverystream/*"
]
}
]
}
Do I need to add more permissions to this IAM user to allow it to create delivery streams?
Upvotes: 4
Views: 8948
Answers (1)
Reputation: 630
I cross checked all other policies attached to this user and apparently there was a Deny policy attached to this user which was explicitly denying the access. Removed this policy and it worked!
Upvotes: 4
Related Questions
- Role is not authorized to perform DescribeStream on KinesisStream
- AWS enable access to kinesis stream for different account
- FirehoseDestination - Could not assume IAM role
- AWS Kinesis Firehose is not sending data to Elasticsearch....IAM permissions?
- ResourceNotFoundException: Stream not found under account
- AWS: reading Kinesis Stream data using Kinesis Firehose in a different account
- AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"
- Firehose is unable to assume role
- AWS IAM Policy - allow from IP Addresses AND allow Firehose
- Facing AccessDeniedException while my user has the required permission