1

I'm trying to use the CLI and Python's package Boto3 to access AWS, but am getting access denied to every service. I can login to the console and see everything and do everything that I'm attempting through the CLI. I'm attached to an IAM group that gives me access to essentially everything, but some error messages say there's an explicit deny which I can't even find.

I've setup my profile with my access and secret keys which are active, but am wondering if I need to do anything else

simplycoding
  • 2,256
  • 8
  • 34
  • 70
  • Are you using the cli credentials? – raam86 Dec 06 '17 at 20:14
  • Both CLI and Boto3 are failing? What is the error message? – helloV Dec 06 '17 at 20:14
  • Message when I try `aws s3 ls --profile newprofile`: `An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied` Boto3 is also failing with the same message – simplycoding Dec 06 '17 at 20:16
  • The user (whose credentials you have set in the credentials file) does not have `ListBuckets` permission. Set it up in the IAM and try the command again. – krishna_mee2004 Dec 06 '17 at 20:19
  • But I'm able to see all the buckets, create an object, delete a bucket in S3 through the console already. Having trouble understanding why this isn't working outside the console – simplycoding Dec 06 '17 at 20:20
  • Instead of using the profile, can you set the access key, secret key and token (if there) in the path and run the command again? – krishna_mee2004 Dec 06 '17 at 20:24
  • @simplycoding The credentials stored under `newprofile` in the credentials file is not the same as the user who is using the console. You may want to use the correct access id and secret. – helloV Dec 06 '17 at 20:37
  • @helloV not following 100%. I'm using the keys that were generated for my account in that `newprofile` for my AWS profile – simplycoding Dec 06 '17 at 21:14
  • @simplycoding then your CLI is getting credentials from somewhere else. See: http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence – helloV Dec 06 '17 at 21:16
  • @simplycoding Can you run aws sts get-caller-identity --profile newprofile and verify the access key is matching with what you generated? – sudo Dec 07 '17 at 22:32
  • Yeah it turned out to be that MFA was turned on and I just completely forgot about it while developing... Would've been nice if that had been mentioned in the thrown error message – simplycoding Dec 07 '17 at 23:28

0 Answers0