0

I have setup an organisation hierarchy and added a policy to allow acm and acm-pca. However I'm getting an error:

com.amazon.coral.service.InternalFailure

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "acm:*",
                "acm-pca:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Is there any Action that I've missed for allowing certificates request?

kk.
  • 3,747
  • 12
  • 36
  • 67
  • Seems like some Internal failure from AWS, did retry help ? – James Dean May 30 '19 at 16:27
  • It's definitely not an internal failure from AWS. I've changed Action to `"*"` and it works. It seems that some service is missing from this policy. Note, I've created this policy using AWS policy generator web interface. – kk. May 30 '19 at 16:29
  • hmm, per doc shows acm:* and acm-pca:* should work as well, permission issue generally give access denied, glad that it works after * – James Dean May 30 '19 at 16:38
  • Maybe `route53:*` for domain authentication? You can try adding all the services and removing them one-by-one until it fails. It might be easier to script this rather than running manually. – kichik May 30 '19 at 19:02
  • @kichik added `route53:*` still the same problem. – kk. May 31 '19 at 09:07

1 Answers1

0

I've written up a full solution here but to summarise this is indeed a permissions issue.

You need to add kms:CreateGrant to your Organization or IAM user to have this work.