Bootstrap FreeKB - Amazon Web Services (AWS) - Resolve "no identity-based policy allows the action"
Amazon Web Services (AWS) - Resolve "no identity-based policy allows the action"
Updated:   |  Amazon Web Services (AWS) articles

Let's say something like this is being returned.

An error occurred (AccessDeniedException) when calling the ListSecrets operation: 
User: arn:aws:sts::123456789012:assumed-role/my-role/my-session is not authorized to perform: 
secretsmanager:ListSecrets because no identity-based policy allows the secretsmanager:ListSecrets action

 

I got this when attempted to List Amazon Web Services (AWS) Secrets from AWS Secrets Manager using Python boto3, for example, something like this.

#!/usr/bin/python3
import boto3

client = boto3.client('secretsmanager')

secrets_dict = client.list_secrets(
  Filters = [
    { 'Key': 'name', 'Values': ['my-secret'] }
  ]
)

print(f"secrets_dict = {secrets_dict}")

 

Here are the most common reasons Access Denied is returned.

  • The resource does not have a Permission Policy that allows a User or Service access to the resource
  • The User attempting to access the resource does not have an Identity-Based Permission Policy that allows the user access to the resource
  • The Service attempting to access the resource does not have an Resource-Based Permission Policy that allows the service access to the resource
  • The User attempting to access the resource Assumed a Role but the Role does not have a Trust Policy that allows the user to assume the role
  • The User attempting to access the resource Assumed a Role but the Role does not have a Permission Policy that allows the user to access to the resource
  • The Permission Policy associated wtih the resource does not allow certain Actions, such as s3:ListObjects

 

The user attempting to list secrets may not have a Permission Policy or Trust Policy that allows access list secrets - check out my article Permission Policy vs Trust Policy

The aws iam list-roles command can be used to display the role. In this example, user johndoe is allowed to assume my-role.

~]$ aws iam list-roles --query 'Roles[?RoleName==`my-role`]'
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/johndoe"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

 

And then the aws iam list-attached-role-policies command can be used to list the policies attached to the role. In this example, no policies are attached to the role, which is why Access Denied is being returned when attempting to list secrets.

~]$ aws iam list-attached-role-policies --role-name my-role
    "AttachedPolicies": []
}

 

The aws iam attach-role-policy command can be used to attach a policy to the role. This should resolve the Access Denied error.

aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/SecretsManagerReadWrite --role-name my-role

 

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 6ed77d in the box below so that we can be sure you are a human.