Grant AWS CLI permissions

Question

I have a user group Administrators with the following policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.

Somehow there's a lot of CLI commands for which I get denied, e.g.

$ aws iam list-groups

An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny

How can I perform this command?

Answer 1

You either have an SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .

You may be able to inspect the boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.

Answer 2

I was being denied by our MFA policy:

{
    "Sid": "DenyAllExceptListedIfNoMFA",
    "Effect": "Deny",
    "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:GetUser",
        "iam:ListMFADevices",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice",
        "sts:GetSessionToken"
    ],
    "Resource": "*",
    "Condition": {
        "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "false"
        }
    }
}