Iam用户未被授权执行:firehose:资源xxxx上的CreateDeliveryStream具有显式拒绝

时间:2018-03-07 15:39:00

标签: amazon-web-services amazon-iam amazon-kinesis-firehose

我正在尝试从EC2微实例创建Firehose传输流。

AWS CLI配置了IAM用户ABC的访问密钥。此用户附加了AWS策略,可以完全访问firehose(下面复制的策略)。

流创建仍然失败,错误为AccessDeniedException: iam user ABC not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "firehose:*",
                "firehose:CreateDeliveryStream"
            ],
            "Resource": [
                "arn:aws:firehose:us-east-1:<ACC_ID>:deliverystream/*",
                "arn:aws:firehose:us-east-1:<ACC_ID>:*",
                "arn:aws:firehose:*:<ACC_ID>:*",
                "arn:aws:firehose:*:<ACC_ID>:deliverystream/*"
            ]
        }
    ]
}

我是否需要为此IAM用户添加更多权限才能创建传送流?

1 个答案:

答案 0 :(得分:0)

我交叉检查了附加到此用户的所有其他策略,显然此用户附加了拒绝策略,该策略明确拒绝访问。删除了这个政策,它有效!

相关问题
最新问题