I have a S3 bucket, that I'm trying to backup via AWS Backup. Due to its configuration to deny access to everyone but a handful of users, I'm getting the Access denied error (when trying to run the backup in AWS Backup). Following this article, I figured I have to add the Backup role (in my case the AWSBackupDefaultAccessRole) ID, as well as the userId to the list of the "aws:userId"s in the Statement condition. I am, however, having a problem retrieving the Role ID via aws-cli, specifically getting the following error:
An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::111111111111:user/sample-user is not authorized to perform: iam:GetRole on resource: role AWSBackupDefaultServiceRole with an explicit deny in an identity-based policy
(using the command:)
aws iam get-role --role-name AWSBackupDefaultServiceRole
I have admin privileges, so I should have access to everything, I added all necessary policies to the Role to be able to do the Backup (it worked completely fine on a different bucket), I tried adding the following line
"AWS": "arn:aws:iam::111111111111:user/sample-user"
into the Principals of the Trust Relationships of the Role, but to no success. I can't seem to locate the "explicit deny", that I don't seem to have allowed yet.
What am I doing wrong?