Related to Error

Sandeep's Avatar

Sandeep

30 Nov, 2018 10:17 AM

Hi Team,

I am getting below mentioned error. Please let me know how to get resolve this error.

User: arn:aws:iam::326014899549:user/awsreadonly is not authorized to perform: ce:GetTags on resource: arn:aws:ce:us-east-1:326014899549:/GetTags.

Please find screenshot below for more information

  1. Support Staff 1 Posted by Ylastic on 30 Nov, 2018 12:46 PM

    Ylastic's Avatar

    You are missing perms in the IAM role you gave us. Please provide the perms needed - http://support.ylastic.com/help/kb/iam-policies

  2. 2 Posted by Sandeep R on 04 Dec, 2018 06:53 AM

    Sandeep R's Avatar

    May I know what perms here

  3. Support Staff 3 Posted by Ylastic on 04 Dec, 2018 12:37 PM

    Ylastic's Avatar

    The perms you need are given in the link in the previous message.

  4. 4 Posted by Sandeep R on 04 Dec, 2018 12:50 PM

    Sandeep R's Avatar

    Can you give some more information regarding this issue?

  5. Support Staff 5 Posted by Ylastic on 04 Dec, 2018 12:58 PM

    Ylastic's Avatar

    The error message indicates missing permissions. We need perms in order to retrieve your AWS resources.

  6. 6 Posted by Sandeep R on 04 Dec, 2018 03:03 PM

    Sandeep R's Avatar

    An error occurred: Invalid principal in policy:
    "AWS":"arn:aws:iam::326014899549:user/awsreadonly.ylastic.com"
    I am getting above error while creating the role.

  7. Support Staff 7 Posted by Ylastic on 04 Dec, 2018 03:04 PM

    Ylastic's Avatar

    Where is the error? In Ylastic console or elsewhere?

  8. 8 Posted by Sandeep R on 17 Dec, 2018 06:48 AM

    Sandeep R's Avatar

    Hi team,
    I am trying to add AWS account and I am trying to get CIS report I am
    getting an error which is attached below.
    [image: image.png]
    I have followed the KB article which is provided by Ylastic(the link given
    below), I am unable to add the AWS account and create CIS reports.
    http://blog.ylastic.com/post/153943542476/iam-role-with-external-id-for-cross-account-access

    Please let me know if there another document apart from this.

  9. Support Staff 9 Posted by Ylastic on 17 Dec, 2018 12:58 PM

    Ylastic's Avatar

    The message clearly tells you what the issue is. In order to use CIS reports, for security reasons, we can only use an IAM role. User sandeep is not setup for authentication using IAM roles. You can see this clearly on the Ylastic accounts page.

  10. 10 Posted by Sandeep R on 18 Dec, 2018 11:56 AM

    Sandeep R's Avatar

    Hi Team,

    I have tried to create IAM role with help of your link which is given
    below.

    http://blog.ylastic.com/post/153943542476/iam-role-with-external-id-for-cross-account-access

    I got some error while creating the IAM role. Please find screenshot below
    which is related to steps I followed.

       -

       While creating a role I have given AWS account number and External ID
       which I have taken it from Ylastic setting page.

    [image: image.png]

    [image: image.png]

       -

       I have selected *AWSREADONLY* Access policy. If I am wrong please give
       suggestion which I need to select.

    [image: image.png]

    [image: image.png]

       -

       When I am trying to edit Trust relationship I am getting an error which
       is highlighted in red. Please let me know whether I need to change
       something.

    [image: image.png]

  11. Support Staff 11 Posted by Ylastic on 18 Dec, 2018 03:45 PM

    Ylastic's Avatar

    You are specifying the wrong principal when editing the trust relationship. You have to use the principal as we specify in our post - arn:aws:iam::710193521658:user/[email blocked]

  12. 12 Posted by Sandeep R on 19 Dec, 2018 05:52 AM

    Sandeep R's Avatar

    Hi Team,
    I didn't understand why it is blocked information and I didn't understand
    what is the changes I need to make. Please find screenshot below. Please
    explain me clearly.

    [image: image.png]

  13. Support Staff 13 Posted by Ylastic on 19 Dec, 2018 12:56 PM

    Ylastic's Avatar

    Sorry I dont know what you mean by 'blocked information'. Can you specify what you mean by that?

    You are specifying the wrong principal in the trust relationship. Your screen shot from the AWS console clearly indicates that you are specifying the wrong principal, and NOT the one we ask you to use in the blog post referenced multiple times in this thread. As we tell you once again in our reply above, the principal in the trust relationship needs to be arn:aws:iam::710193521658:user/[email blocked]

  14. 14 Posted by Sandeep R on 20 Dec, 2018 09:02 AM

    Sandeep R's Avatar

    Hi Team,

    I tried to give email id of my root account of AWS still I am unable to
    create a policy. Please let me know, is there any particular syntax to
    follow or If you give me one example that would be great. As per the
    document, I have changed the value please verify that as well.

    [image: image.png]

    [image: image.png]

  15. Support Staff 15 Posted by Ylastic on 20 Dec, 2018 12:56 PM

    Ylastic's Avatar

    Where are you giving this email id of root account? What is the error message from AWS when creating the policy? The screenshots you are sending show only the trust relationship.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Already uploaded files

  • Screenshot_from_2018-11-30_14_38_32.png 205 KB

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac