Access denied when calling the GetRole operation

Question

I have a S3 bucket, that I'm trying to backup via AWS Backup. Due to its configuration to deny access to everyone but a handful of users, I'm getting the Access denied error (when trying to run the backup in AWS Backup). Following this article, I figured I have to add the Backup role (in my case the AWSBackupDefaultAccessRole) ID, as well as the userId to the list of the "aws:userId"s in the Statement condition. I am, however, having a problem retrieving the Role ID via aws-cli, specifically getting the following error:

An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::111111111111:user/sample-user is not authorized to perform: iam:GetRole on resource: role AWSBackupDefaultServiceRole with an explicit deny in an identity-based policy

(using the command:)

aws iam get-role --role-name AWSBackupDefaultServiceRole

I have admin privileges, so I should have access to everything, I added all necessary policies to the Role to be able to do the Backup (it worked completely fine on a different bucket), I tried adding the following line

"AWS": "arn:aws:iam::111111111111:user/sample-user"

into the Principals of the Trust Relationships of the Role, but to no success. I can't seem to locate the "explicit deny", that I don't seem to have allowed yet.

What am I doing wrong?

Answer 1

Well, after some more googling, I finally figured out the issue: My user was a part of more (permission)groups, one being a Superadmin (which I've gotten only recently) and one being a Developer group with more restricted access. I thought that the Superadmin group would overwrite the Developer group, granting me access to all resources, but I've learned that the opposite is the case: at least for the aws-cli purposes, the Developer group had overwritten the SA group, meaning that I lacked the get-role permissions and simply didn't have the required permissions to access the role.