AWS LoadBalancer IAM Readonly Rule Error

Question

I have created custom IAM policy to have a read access to loadbalancer. But I am getting error as...

An error occurred fetching load balancer data: User: arn:aws:iam::000000000000:user/xxxxxxxx is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers

Bellow is the policy.

{
  "Version": "2012-10-17",
  "Statement":[{
    "Effect": "Allow",
    "Action": [
                "elasticloadbalancing:Describe*",
        ],
    "Resource": "arn:aws:elasticloadbalancing:us-west-2:000000000000:loadbalancer/*"
  }]
}

Please some one help with this.

Thanks

Sreekanth

score 1 · Accepted Answer · answered Aug 26 '16 at 21:46

Generally speaking, the Describe* actions do not support resource-level permissions.

For Describe* actions, you need to use * as your resource, otherwise, the commands will fail as not permitted.

Documentation and more information: http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-resource-level-permissions

Sreekanth Sagar · Answer 2 · 2016-08-28T17:13:33.003

0

Here is the solution I figured out. Bellow is the policies.

Read only AWS LB Access Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:Describe*"
            ],
            "Resource": "*"
        }
    ]
}

edited Aug 28 '16 at 17:13

answered Aug 28 '16 at 16:46

Sreekanth Sagar

49
1
14

Allowing `Describe*` will not allow `Delete*`. This is not how IAM policies work. Such a deny policy is not required. IAM policies are "deny by default". So unless there is an allow statement for `Delete*`, it won't be permitted. The exception is if there is **another** policy or Managed Policy applied to the user or load balancer that is allowing `Delete*`. – Matt Houser Aug 28 '16 at 17:01
No, I have two more policies attached to the user. I can post them in some time. – Sreekanth Sagar Aug 28 '16 at 17:03
Policy1..... { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } } ] } – Sreekanth Sagar Aug 28 '16 at 17:05
Policy2.....{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECUnrestricted", "Effect": "Allow", "Action": [ "elasticache:Describe*", "elasticache:List*" ], "Resource": "*" } ] } – Sreekanth Sagar Aug 28 '16 at 17:07
None of these policies will allow change/delete on an ELB. My statement still stands: the deny policy is not required. – Matt Houser Aug 28 '16 at 17:11
Sorry, You are correct. there was one more policy which was allowing it. I figured it out. Thanks. I am editing my answer. – Sreekanth Sagar Aug 28 '16 at 17:12
@MattHouser Can you also help me on this.... I have created a second VPC in AWS which it is not a default VPC which we know it. I have three subnets in that second VPC. The issue is that, when I try to launch a ec2 with the second VPC I am not getting "No preference (defualt subnet in any Availability Zone)" option at the Subnet select column. I have to chose any of the three subnets in the VPC. I not sure if I missed anything while creating the secondary VPC or subnets. As I am getting the "No preference (defualt subnet in any Availability Zone)" option when I choose the default subnet. – Sreekanth Sagar Aug 28 '16 at 17:18
Ask your new question as a new question on ServerFault. – Matt Houser Aug 28 '16 at 17:42
Did. http://serverfault.com/questions/799621/aws-non-default-vpc-issue – Sreekanth Sagar Aug 28 '16 at 17:59

AWS LoadBalancer IAM Readonly Rule Error

2 Answers2