In this learning post, let us see how to resolve access permissions issue in case of error while creating AWS Resource Groups via AWS CLI
Getting Started:
- create or use an existing EC2 instance to which there is no permission attached relevant to AWS resource groups or tags
Pre-requisite:
- Take SSH into the EC2 instance from where AWS CLI commands can be run
- run the command below to create AWS Resource Group to see the output status
aws resource-groups create-group --name my-resource-group --resource-query '{"Type":"TAG_FILTERS_1_0","Query":"{\"ResourceTypeFilters\":[\"AWS::EC2::Instance\"],\"TagFilters\":[{\"Key\":\"Env\",\"Values\":[\"QA\"]}]}"}'
On Creation of AWS Resource Group from AWS CLI:
- In above screen, the resource group creation of Tag(Env:QA) initially failed with 'Access Denied Exception'
- This is because of the absence of permissions on creating Resource Groups for role that this EC2 is attached with
- Now in order to resolve this permissions issue, we need to add the list of permissions applicable(refer to Series 1) and update the ROLE of this EC2
- The second attempt to create this instance has succeeded and group creation is successful and returns the json output successfully
Steps to resolve(to add permissions to the existing role):
- From IAM Console, goto Roles-> the role attached to the EC2 instance from where the AWS CLI commands are being executed
- edit the policy to add 'inline policy' to the existing list of 'Managed' or 'Inline' policies attached to the role
- add the below policy to succeed in Resource Group creation from CLI
No comments:
Post a Comment