2

If I log in into EC2 instance and try to issue the command

aws glacier list-vaults --account-id ######

I get an error that the user doesn't have permission, I was able to give the IAM users the right permissions and it works perfectly from the local machine. But it doesn't work from within the EC2 instance.

Where do I add the permission? Who is the actual user that issue the command from withing an EC2 instance (for example "aws s3" commands work without a problem)

Eden
  • 139
  • 3

1 Answers1

-1

If some other aws cli commands do work for you, the most likely reason is, that there is an Instance Profile attached to the instance.

Instance profiles are created from EC2 roles. To find out which IAM role is used for the profile, use

aws sts get-caller-identity --query Arn

The output looks like this:

"arn:aws:sts::$accountID:assume-role/$rolename/$instanceID"

where $instanceIDis the name of the IAM role you are looking for. Your need to add the IAM permission glacier:ListVaults to this role.

M. Glatki
  • 1,964
  • 1
  • 17
  • 33
  • 1
    Thanks. I added the permission to the role and it worked. – Eden Jul 24 '18 at 06:27
  • Did not help, the user returned from sts command has full glacier:* policy on * resources, but the issue with list-vaults on CLI access is still same – Ivan Borshchov Jan 20 '23 at 11:07