I'm trying to run this command in the AWS console:
aws route53 list-hosted-zones
I'm using my access key/secret and it worked fine in a demo account. I checked with my team and I have the AmazongRoute53FullAccess permissions:
Here's the full error message:
PS C:\Users...> aws route53 list-hosted-zones --no-paginate
An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::362327418951:user/userName is not authorized to perform: route53:ListHostedZones with an explicit deny in an identity-based policy
답변1
Check the CC-MFA-USER policy.
Based on the names of the policies attached to your account, I suspect there's a policy that denies access unless authenticated using MFA.
AWS provides an example policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html
In the example above, the last statement denies access unless you are authenticated using MFA:
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
There's a few options for using MFA with the AWS CLI:
- https://stackoverflow.com/a/41965046/2454476 — this seems like the easiest option, but I haven't used it myself, and it may not be available on older versions of the CLI
- https://stackoverflow.com/a/34796136/2454476 — this should work with any version of the CLI, but there's a few extra steps involved.