Wednesday, December 18, 2019

AWS Resource Groups - KnowHow(s) - Series 5

In this learning post, let us see how to resolve access permissions issue in case of error while creating AWS Resource Groups via AWS CLI

Getting Started:
  • create or use an existing EC2 instance to which there is no permission attached relevant to AWS resource groups or tags

  • Take SSH into the EC2 instance from where AWS CLI commands can be run
  • run the command below to create AWS Resource Group to see the output status
aws resource-groups create-group --name my-resource-group --resource-query '{"Type":"TAG_FILTERS_1_0","Query":"{\"ResourceTypeFilters\":[\"AWS::EC2::Instance\"],\"TagFilters\":[{\"Key\":\"Env\",\"Values\":[\"QA\"]}]}"}'

On Creation of AWS Resource Group from AWS CLI:

    • In above screen, the resource group creation of Tag(Env:QA) initially failed with 'Access Denied Exception' 
    • This is because of the absence of permissions on creating Resource Groups for role that this EC2 is attached with 
    • Now in order to resolve this permissions issue, we need to add the list of permissions applicable(refer to Series 1) and update the ROLE of this EC2
    • The second attempt to create this instance has succeeded and group creation is successful and returns the json output successfully

Steps to resolve(to add permissions to the existing role):
    • From IAM Console, goto Roles-> the role attached to the EC2 instance from where the AWS CLI commands are being executed
    • edit the policy to add 'inline policy' to the existing list of 'Managed' or 'Inline' policies attached to the role
    • add the below policy to succeed in Resource Group creation from CLI

No comments:

Post a Comment