New IAM admin user sees "You are not authorized to perform this operation"

10
votes

I am trying to get started with the AWS CLI on OSX. I installed aws via pip. I have created a new user in IAM and attached the pre-built AdministratorAccess - AWS Managed policy policy. Next I have I have copied the Access Key ID and the Secret Access Key generated.

The user I created is not in any groups. Their policy looks like this: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Next, I ran aws configure from the command line, and entered the access key and secret key that I copied, plus a region code of eu-west-1 (which seems unlikely to be relevant since IAM users are global), and an output format of text.

Then I have tried running a simple test command to set up a new group:

$  aws ec2 create-security-group --group-name my-sg --description "My security group" --debug

However, this fails with the following error:

A client error (UnauthorizedOperation) occurred when calling the CreateSecurityGroup operation: You are not authorized to perform this operation.

Other commands fail in the same way.

My only theory is that it's a copy and paste error in the keys, but I've tried doing the whole process above twice and failed in the same way both times. What am I doing wrong? Is there a way I can debug which part of the process is failing?

3
amazon-web-servicesamazon-ec2aws-cli
When doing aws configure it's telling the AWS CLI which region to operate in. Users are global. But security group resources are specific to a region.Matt Houser
The error you are getting is not a copy/paste issue. It's a permissions error. The credentials you are using with the CLI does not have permissions to create security groups. If the access key/secret were bad, you would get another error.Matt Houser
After you applied the policy to your user, how long did you wait before executing the command? Sometimes it takes a few minutes for the permission changes to propagate through the system.Matt Houser
@MattHouser thanks! It's good to know that it's not a copy/paste error. I've just tried again after 15 mins and am still getting the same error.Richard
Does your user require an MFA?Matt Houser

3 Answers

8
votes

Your AWS CLI is getting credentials from somewhere else. See Configuration Settings and Precedence

Make sure it is not getting the credentials from environment variables or from other locations. The AWS CLI looks for credentials and configuration settings in the following order:

  • Command Line Options – region, output format and profile can be specified as command options to override default settings.
  • Environment Variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
  • The AWS credentials file – located at ~/.aws/credentials on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\credentials on Windows. This file can contain multiple named profiles in addition to a default profile.
  • The CLI configuration file – typically located at ~/.aws/config on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\config on Windows. This file can contain a default profile, named profiles, and CLI specific configuration parameters for each.
  • Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role, and are delivered through the Amazon EC2 metadata service.
6
votes

In my case this was caused by not having the correct policy attached to the IAM user I was authenticating with.

Attach the AmazonEC2FullAccess policy to the user in the IAM Management Console and the command should work.

0
votes

Make sure you are not creating the security group in VPC, if this is the case you need to pass default VPC ID as a parameter.

Also try this with different regions:

aws configure set region <regions>
aws ec2 describe-security-groups

NOTE: AWS has started providing default VPC's in most of the regions.

Hope this helps and resolve your issue.