0

I'm having trouble using the AWS Toolkit for Visual Studio to deploy a lambda function.

This is the error I'm getting: enter image description here

But I am a global admin and am able to see and access everything through the AWS UI. I think this may be a programmatic access issue, but where do I check or look?

Here are all my current permissions and groups on AWS: enter image description here enter image description here

How do I successfully use the AWS toolkit for Visual Studio with my admin account (I understand after getting this working, I probably want to back off the permissions - but that's a separate best practice)? One thing I'm certain of is that I'm using the correct Access key ID and Secret access key, so that itself isn't an issue, sounds like a permissions thing to me.

Thank you!

Thomas
  • 555
  • 7
  • 29
  • 1
    What is in your `Force_MFA` policy? How have you provided the credentials (is it just via the `.aws/credentials` file)? Can you create a bucket from the AWS CLI on the same computer (eg `aws s3 mb foo`)? – John Rotenstein Sep 15 '20 at 21:57
  • Force_MFA seems to be built in, the description says: `This policy allows users to manage their own passwords and MFA devices but nothing else unless they authenticate with MFA`. I provided the credentials through that AWS Toolkit UI, and I checked it looks like it got saved to `.aws/credentials`. I tried `aws s3 ls` through the cli and also got `An error occurred (AccessDenied) when calling the ListBuckets operation: AccesDenied` – Thomas Sep 15 '20 at 22:06
  • Okay! That was a really good catch. I removed the `Force_MFA` policy and tried `aws s3 ls` and that appeared to work and give me a list of all the buckets. Thank you! – Thomas Sep 15 '20 at 22:09

1 Answers1

1

It appears that you have a policy named Force_MFA.

If this policy is requiring users to authenticate with an MFA, then the AWS CLI will not be able correctly authenticate. You would either need to remove this policy, or use GetSessionToken() to provide an MFA value and then use the returned credentials with the AWS CLI.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470