新的 IAM 管理员用户看到“您无权执行此操作" [英] New IAM admin user sees "You are not authorized to perform this operation"

问题描述

我正在尝试在 OSX 上开始使用 AWS CLI.我通过 pip 安装了 aws.我在 IAM 中创建了一个新用户并附加了预先构建的 AdministratorAccess - AWS Managed policy 策略.接下来，我复制了访问密钥 ID 和生成的秘密访问密钥.

I am trying to get started with the AWS CLI on OSX. I installed aws via pip. I have created a new user in IAM and attached the pre-built AdministratorAccess - AWS Managed policy policy. Next I have I have copied the Access Key ID and the Secret Access Key generated.

我创建的用户不在任何组中.他们的政策是这样的:

The user I created is not in any groups. Their policy looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

接下来，我从命令行运行 aws configure，并输入我复制的访问密钥和秘密密钥，以及 eu-west-1 的区域代码(这似乎不太可能相关，因为 IAM 用户是全球性的)，以及 text 的输出格式.

Next, I ran aws configure from the command line, and entered the access key and secret key that I copied, plus a region code of eu-west-1 (which seems unlikely to be relevant since IAM users are global), and an output format of text.

然后我尝试运行一个简单的测试命令来设置一个新组:

Then I have tried running a simple test command to set up a new group:

$  aws ec2 create-security-group --group-name my-sg --description "My security group" --debug

但是，这失败并出现以下错误:

However, this fails with the following error:

调用时发生客户端错误 (UnauthorizedOperation)CreateSecurityGroup 操作:您无权执行此操作操作.

A client error (UnauthorizedOperation) occurred when calling the CreateSecurityGroup operation: You are not authorized to perform this operation.

其他命令以同样的方式失败.

Other commands fail in the same way.

我唯一的理论是，这是密钥中的复制和粘贴错误，但我已尝试执行上述整个过程两次，但两次都以相同的方式失败.我究竟做错了什么?有没有办法调试流程的哪一部分失败?

My only theory is that it's a copy and paste error in the keys, but I've tried doing the whole process above twice and failed in the same way both times. What am I doing wrong? Is there a way I can debug which part of the process is failing?

推荐答案

您的 AWS CLI 正在从其他地方获取凭证.请参阅配置设置和优先级

Your AWS CLI is getting credentials from somewhere else. See Configuration Settings and Precedence

确保它没有从环境变量或其他位置获取凭据.AWS CLI 按以下顺序查找凭证和配置设置:

Make sure it is not getting the credentials from environment variables or from other locations. The AWS CLI looks for credentials and configuration settings in the following order:

• 命令行选项 - 可以将区域、输出格式和配置文件指定为命令选项以覆盖默认设置.
• 环境变量 – AWS_ACCESS_KEY_ID、AWS_SECRET_ACCESS_KEY 等
• AWS 凭证文件 – 在 Linux、OS X 或 Unix 上位于 ~/.aws/credentials，在 Windows 上位于 C:UsersUSERNAME .awscredentials.除了默认配置文件之外，此文件还可以包含多个命名配置文件.
• CLI 配置文件 – 通常位于 Linux、OS X 或 Unix 上的 ~/.aws/config，或 Windows 上的 C:UsersUSERNAME .awsconfig.此文件可以包含默认配置文件、命名配置文件以及每个配置文件的 CLI 特定配置参数.
• 实例配置文件凭证 - 这些凭证可用于具有指定实例角色的 EC2 实例，并通过 Amazon EC2 元数据服务提供.

这篇关于新的 IAM 管理员用户看到“您无权执行此操作"的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！