AWS LoadBalancer IAM Readonly Rule Error

Asked 9 years, 3 months ago

Modified 9 years, 3 months ago

Viewed 2k times

0

I have created custom IAM policy to have a read access to loadbalancer. But I am getting error as...

An error occurred fetching load balancer data: User: arn:aws:iam::000000000000:user/xxxxxxxx is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers

Bellow is the policy.

{ "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": [ "elasticloadbalancing:Describe*", ], "Resource": "arn:aws:elasticloadbalancing:us-west-2:000000000000:loadbalancer/*" }] }

Please some one help with this.

Thanks

Sreekanth

asked Aug 26, 2016 at 20:27

Sreekanth Sagar

591 silver badge14 bronze badges

Add a comment |

2 Answers 2

Sorted by:

1

Generally speaking, the Describe* actions do not support resource-level permissions.

For Describe* actions, you need to use * as your resource, otherwise, the commands will fail as not permitted.

Documentation and more information: http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html#elb-resource-level-permissions

answered Aug 26, 2016 at 21:46

10.4k1 gold badge32 silver badges28 bronze badges

Add a comment |

0

Here is the solution I figured out. Bellow is the policies.

Read only AWS LB Access Policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:Describe*" ], "Resource": "*" } ] }

edited Aug 28, 2016 at 17:13

answered Aug 28, 2016 at 16:46

Sreekanth Sagar

591 silver badge14 bronze badges

Allowing Describe* will not allow Delete*. This is not how IAM policies work. Such a deny policy is not required. IAM policies are "deny by default". So unless there is an allow statement for Delete*, it won't be permitted. The exception is if there is another policy or Managed Policy applied to the user or load balancer that is allowing Delete*.

Matt Houser
– Matt Houser

2016-08-28 17:01:42 +00:00
Commented Aug 28, 2016 at 17:01
No, I have two more policies attached to the user. I can post them in some time.

Sreekanth Sagar
– Sreekanth Sagar

2016-08-28 17:03:47 +00:00
Commented Aug 28, 2016 at 17:03
Policy1..... { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:Describe*" ], "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } } ] }

Sreekanth Sagar
– Sreekanth Sagar

2016-08-28 17:05:34 +00:00
Commented Aug 28, 2016 at 17:05
Policy2.....{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECUnrestricted", "Effect": "Allow", "Action": [ "elasticache:Describe*", "elasticache:List*" ], "Resource": "*" } ] }

Sreekanth Sagar
– Sreekanth Sagar

2016-08-28 17:07:47 +00:00
Commented Aug 28, 2016 at 17:07
None of these policies will allow change/delete on an ELB. My statement still stands: the deny policy is not required.

Matt Houser
– Matt Houser

2016-08-28 17:11:06 +00:00
Commented Aug 28, 2016 at 17:11

| Show 4 more comments

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Explore related questions

See similar questions with these tags.