新的IAM管理员用户会看到“您无权执行此操作”。 [英] New IAM admin user sees "You are not authorized to perform this operation"

问题描述

我正在尝试开始使用OSX上的AWS CLI。我通过pip安装了 aws 。我在IAM中创建了一个新用户，并附加了预先构建的 AdministratorAccess-AWS Managed Policy 策略。接下来，我复制了生成的访问密钥ID和秘密访问密钥。

I am trying to get started with the AWS CLI on OSX. I installed aws via pip. I have created a new user in IAM and attached the pre-built AdministratorAccess - AWS Managed policy policy. Next I have I have copied the Access Key ID and the Secret Access Key generated.

我创建的用户不在任何组中。他们的政策如下：

The user I created is not in any groups. Their policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

接下来，我跑了 aws从命令行配置，然后输入我复制的访问密钥和秘密密钥，以及 eu-west-1 的区域代码（这似乎不太可能相关，因为IAM用户是全球用户），并且输出格式为文本。

Next, I ran aws configure from the command line, and entered the access key and secret key that I copied, plus a region code of eu-west-1 (which seems unlikely to be relevant since IAM users are global), and an output format of text.

然后我尝试运行一个简单的测试命令来设置一个新组：

Then I have tried running a simple test command to set up a new group:

$  aws ec2 create-security-group --group-name my-sg --description "My security group" --debug

但是，此操作失败，以下错误：

However, this fails with the following error:

调用
CreateSecurityGroup操作时发生客户端错误（UnauthorizedOperation） ion：您无权执行此
操作。

A client error (UnauthorizedOperation) occurred when calling the CreateSecurityGroup operation: You are not authorized to perform this operation.

其他命令以相同的方式失败。

Other commands fail in the same way.

我唯一的理论是键中的复制和粘贴错误，但是我尝试了两次以上的整个过程，但两次都失败了。我究竟做错了什么？有什么方法可以调试过程的哪一部分失败？

My only theory is that it's a copy and paste error in the keys, but I've tried doing the whole process above twice and failed in the same way both times. What am I doing wrong? Is there a way I can debug which part of the process is failing?

推荐答案

您的AWS CLI正在从其他地方获取凭证。请参见配置设置和优先级

Your AWS CLI is getting credentials from somewhere else. See Configuration Settings and Precedence

请确保它没有从环境变量或其他位置获取凭据。
AWS CLI按以下顺序查找凭据和配置设置：

Make sure it is not getting the credentials from environment variables or from other locations. The AWS CLI looks for credentials and configuration settings in the following order:

• 命令行选项–区域，输出格式和配置文件可以指定为命令选项以覆盖默认设置。


• 环境变量– AWS_ACCESS_KEY_ID，AWS_SECRET_ACCESS_KEY等。


• AWS凭证文件–位于〜 /.aws/credentials在Linux，OS X或Unix上，或在C：\Users\USERNAME .aws\credentials在Windows上。除了默认配置文件之外，该文件还可以包含多个命名的配置文件。


• CLI配置文件–通常位于Linux，OS X或Unix上的〜/ .aws / config或Windows上的C：\Users\USERNAME .aws\config。此文件可以包含默认配置文件，命名配置文件以及每个配置文件的CLI特定配置参数。


• 实例配置文件凭据–这些凭据可用于具有指定实例角色的EC2实例，并且通过Amazon EC2元数据服务提供。

• Command Line Options – region, output format and profile can be specified as command options to override default settings.
• Environment Variables – AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, etc.
• The AWS credentials file – located at ~/.aws/credentials on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\credentials on Windows. This file can contain multiple named profiles in addition to a default profile.
• The CLI configuration file – typically located at ~/.aws/config on Linux, OS X, or Unix, or at C:\Users\USERNAME .aws\config on Windows. This file can contain a default profile, named profiles, and CLI specific configuration parameters for each.
• Instance profile credentials – these credentials can be used on EC2 instances with an assigned instance role, and are delivered through the Amazon EC2 metadata service.

这篇关于新的IAM管理员用户会看到“您无权执行此操作”。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！