IAM Permission Errors

IAM Permission Errors

This page helps you diagnose and resolve AWS IAM permission issues.

Understanding IAM Errors

When SkySaver can’t perform an action due to permissions, you’ll see errors like:

AccessDenied: User: arn:aws:sts::123456789012:assumed-role/SkySaverScheduler/...
is not authorized to perform: ec2:StopInstances

Common Permission Issues

Role Assumption Failed

Error:

Unable to assume role arn:aws:iam::123456789012:role/SkySaverScheduler

Causes:

  • Role doesn’t exist
  • External ID mismatch
  • Trust policy incorrect

Solutions:

  1. Verify CloudFormation template was deployed
  2. Check External ID in Project Defaults matches role trust policy
  3. Verify trust policy allows SkySaver’s AWS account

EC2 Permission Denied

Error:

AccessDenied: ... is not authorized to perform: ec2:StartInstances

Required Permissions:

- "ec2:StartInstances"
- "ec2:StopInstances"
- "ec2:DescribeInstances"
- "ec2:ModifyInstanceAttribute"

Solution: Ensure your CloudFormation template includes these permissions.

RDS Permission Denied

Error:

AccessDenied: ... is not authorized to perform: rds:StopDBInstance

Required Permissions:

- "rds:DescribeDBClusters"
- "rds:DescribeDBInstances"
- "rds:StopDBCluster"
- "rds:StopDBInstance"
- "rds:StartDBInstance"
- "rds:StartDBCluster"
- "rds:ModifyDBCluster"
- "rds:ModifyDBInstance"

Lambda Permission Denied

Error:

AccessDenied: ... is not authorized to perform: lambda:PutFunctionConcurrency

Required Permissions:

- "lambda:ListFunctions"
- "lambda:ListTags"
- "lambda:GetFunctionConcurrency"
- "lambda:GetProvisionedConcurrencyConfig"
- "lambda:ListVersionsByFunction"
- "lambda:PutFunctionConcurrency"
- "lambda:DeleteFunctionConcurrency"
- "lambda:ListProvisionedConcurrencyConfigs"
- "lambda:PutProvisionedConcurrencyConfig"

ASG Permission Denied

Error:

AccessDenied: ... is not authorized to perform: autoscaling:UpdateAutoScalingGroup

Required Permissions:

- "autoscaling:DescribeAutoScalingGroups"
- "autoscaling:DescribeTags"
- "autoscaling:UpdateAutoScalingGroup"

Cost Explorer Permission Denied

Error:

AccessDenied: ... is not authorized to perform: ce:GetCostAndUsage

Required Permissions:

- "ce:GetRightsizingRecommendation"
- "ce:GetCostAndUsage"
- "ce:GetSavingsPlansPurchaseRecommendation"
- "ce:GetReservationPurchaseRecommendation"

S3 Permission Denied (CUR)

Error:

AccessDenied: ... is not authorized to perform: s3:GetObject

Required Permissions:

- "s3:ListBucket"
- "s3:GetObject"
- "s3:GetBucketLocation"

Diagnosing Permission Issues

Step 1: Check Automation Reports

  1. Navigate to Automation Reports
  2. Find the failed execution
  3. View the error message
  4. Note the specific action and resource

Step 2: Check AWS CloudTrail

  1. Open AWS CloudTrail in AWS Console
  2. Go to Event history
  3. Filter: Event source = sts.amazonaws.com (for role assumption)
  4. Or filter by specific service (ec2, rds, etc.)
  5. Look for AccessDenied error codes

Step 3: Verify IAM Role

  1. Open IAM in AWS Console
  2. Find the SkySaverScheduler role
  3. Review attached policies
  4. Compare with required permissions

Fixing Permission Issues

Option 1: Redeploy CloudFormation Template

The easiest fix is to redeploy the complete template:

  1. Delete the existing stack
  2. Deploy the updated template from AWS Account Setup

Option 2: Update Inline Policy

Add missing permissions to the existing role:

  1. Open IAM in AWS Console
  2. Find the SkySaverScheduler role
  3. Edit the inline policy
  4. Add missing permissions
  5. Save changes

External ID Issues

The External ID is a security measure to prevent confused deputy attacks.

Finding Your External ID

  1. Navigate to Project Defaults
  2. Find the External ID field
  3. Copy this value

Updating the IAM Role

The External ID must match in the role’s trust policy:

Condition:
  StringEquals:
    sts:ExternalId:
      - "your-external-id-here"

Role Trust Policy

The trust policy must allow SkySaver’s AWS account:

AssumeRolePolicyDocument:
  Version: "2012-10-17"
  Statement:
  - Effect: "Allow"
    Principal:
      AWS: "arn:aws:iam::975050237171:root"
    Action:
    - "sts:AssumeRole"
    Condition:
      StringEquals:
        sts:ExternalId:
          - "<Your External ID>"

Service Control Policies (SCPs)

If you use AWS Organizations with SCPs:

  1. Verify SCPs don’t block required actions
  2. Check for regional restrictions
  3. Ensure SkySaver’s account isn’t blocked