Summary
Permission issues are one of the most common errors seen by users of N2WS Backup and this article explains how you can use the IAM Policy Simulator to help you narrow down whether permissions are allowed by an IAM User or a Role.
This article will also discuss how to determine if a Role/user has permissions assigned through a Policy but is being denied by an AWS Organizations Service Control Policy rule (SCP).
Description
Prerequisites in AWS:
To help you get started with the IAM Policy Simulator please see this AWS Article on its use and which permissions a user/role needs to run it.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
This is a helpful AWS video on this topic.
https://www.youtube.com/watch?v=1IIhVcXhvcE
Using IAM Policy to Troubleshoot N2WS Backup issues.
1. Login into AWS and then open a browser and go to the IAM Policy Simulator home page
https://policysim.aws.amazon.com/home/index.jsp
2. In the left-hand pane select Role
3. Select the N2W instance Role or the Role that was denied access.
4. If the AWS Organizations SCP's checkbox is listed on the screen, please make sure to select this. This is useful to show that there is a rule preventing the role from using the permission even if defined in the policy files associated with the role.
For more details on SCP rules see this link
5. In this example we will use the error message below where the Role has received access denied when calling ListObjectsV2 permission. This permission is inherited from the S3:ListBuckets permission.
2022-04-28 19:59:58,244:[140698990913280][----------] ERROR: s3sync_thread(agent.py:1869) fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
6. In the IAM Policy Simulator screen select the Service S3
7. Select the Action and select the ListBuckets permission.
8. Then click the Run Simulation button. You should get a return of allowed.
Troubleshooting:
If you get a denied message this is usually easily corrected by updating the N2W instance role or the user that received the denied message. You can obtain the latest N2WS N2W JSON policy files from this link:
N2W JSON Permission files
How to update role
How to update the AWS Role Permissions
If you receive this message Denied by AWS Organizations after running the simulation, you need check in AWS Organizations and verify if you have a deny permission defined in a Service Control Policy which overrides the allow statement in the N2W JSON Policy files.
For more information on troubleshooting SCP policies please see this AWS article.
https://docs.aws.amazon.com/organizations/latest/userguide/org_troubleshoot_policies.html
Confirmation Steps
Using the steps to troubleshoot and correct account/role permissions should resolve your N2W permission errors.
Comments
0 comments
Please sign in to leave a comment.