What AWS Role Policies do I need to be able to run AWS CLI commands

Question

When ever I run a command to get DeviceFarm projects or Schedule a run I get errors stating that I do not have permissions to run the commands and that there is an explicit deny on my user.

I am in the role settings and cannot find any policy to add to enable me to run these commands.

What policy do I need to add?

The command: aws devicefarm schedule-run <options>

The error: User: arn:<user arn> is not authorized to perform: devicefarm:ScheduleRun on resource: <resource arn> with an explicit deny

Please Edit your question to show the commands that are failing and the _exact_ error message. — John Rotenstein, Jul 29 '21 at 00:03
Normally, I would say that you could add the `AWSDeviceFarmFullAccess` policy on your IAM User, but the **explicit** deny suggests that something is intentionally prohibiting such access. Are you using an AWS Account that is part of an AWS Organizations hierarchy? If so, it is possible that a [Service control policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) is blocking use of the Device Farm service in the account. — John Rotenstein, Jul 29 '21 at 00:11
@JohnRotenstein I already have AWSDeviceFarmFullAccess listed on my role. And yes, device farm as part of a bigger aws suite of stuff. — pnizzle, Jul 29 '21 at 00:22
If your account is a sub-account within AWS Organizations, please talk with your company's AWS administrators to check whether any SCPs are blocking your use of Device Farm. — John Rotenstein, Jul 29 '21 at 00:26
@JohnRotenstein is there a way to specify what role to use as part of the command? — pnizzle, Jul 29 '21 at 00:28
An IAM Role needs to be 'assumed' rather than 'passed' to a command. If you have permission to assume a role, you can add it to the AWS CLI configuration file and it will assume the role for you. See: [Using an IAM role in the AWS CLI - AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html) — John Rotenstein, Jul 29 '21 at 00:50
@JohnRotenstein can you add the details about "adding devicefarm policy and something else causing my issue" as an answer so I can mark it as correct please? — pnizzle, Aug 15 '21 at 22:34

score 0 · Answer 1 · answered Jul 29 '21 at 00:02

0

Precede your commands with sudo. That will enable you to run the commands with an elevated privilege and you should not encounter some of the challenges you are encountering.

answered Jul 29 '21 at 00:02

Charles

349
3
9

would it be `sudo aws command subcommand` or would it be `aws sudo command subcommand` ? – pnizzle Jul 29 '21 at 00:03
1

This answer is not applicable to the AWS CLI. – John Rotenstein Jul 29 '21 at 00:04
Sudo did nothing, the permissions issue is on AWS and not local – pnizzle Jul 29 '21 at 00:08
2

I answered before you had added the commands that were failing. Now there is a bit more clarity and it seems like an AWS Security Policy issue. – Charles Jul 29 '21 at 00:15
makes sense charles – pnizzle Jul 29 '21 at 01:04

score 0 · Accepted Answer · answered Aug 15 '21 at 22:41

Normally, I would say that you could add the AWSDeviceFarmFullAccess policy on your IAM User, but the explicit deny suggests that something is intentionally prohibiting such access.

If you are using an AWS Account that is part of an AWS Organizations hierarchy, it is possible that a Service control policy is blocking use of the Device Farm service in the account.

What AWS Role Policies do I need to be able to run AWS CLI commands

2 Answers2