Troubleshooting access denied error messages
Access denied errors appear when Amazon explicitly or implicitly denies an authorization
request. An explicit denial occurs when a policy contains a
Deny
statement for the specific Amazon action. An implicit
denial occurs when there is no applicable Deny
statement and
also no applicable Allow
statement. Because an IAM policy denies an IAM
principal by default, the policy must explicitly allow the principal to perform an action.
Otherwise, the policy implicitly denies access. For more information, see The difference between explicit and implicit
denies.
Most access denied error messages appear in the format User
. In this example,
user
is not authorized to perform
action
on resource
because
context
user
is the Amazon Resource Name
(ARN) that doesn't receive access, action
is the
service action that the policy denies, and resource
is the ARN of
the resource on which the policy acts. The context
field
represents additional context about the policy type that explains why the policy denied
access.
When a policy explicitly denies access because the policy contains a Deny
statement, then Amazon includes the phrase with an explicit deny in a
in the access denied error message.
When the policy implicitly denies access, then Amazon includes the phrase type
policybecause no
in the access denied error message.type
policy allows the action
action
Some Amazon services do not support this access denied error message format. The content of access denied error messages can vary depending on the service making the authorization request.
If multiple policies of the same policy type deny an authorization request, then Amazon doesn't specify the number of policies in the access denied error message. If multiple policy types deny an authorization request, Amazon includes only one of those policy types in the error message.
Access denied error message examples
The following examples show the format for different types of access denied error messages.
Access denied due to a Service Control Policy
For the following error, check for a Deny
statement or a missing
Allow
statement for codecommit:ListRepositories
in
your Service Control Policies (SCPs).
When an SCP denies access, the error message can include the phrase due
to an explicit deny in a Service Control Policy
, even if the denial
is implicit.
User: arn:aws-cn:iam::777788889999:user/JohnDoe is not authorized to perform: codecommit:ListRepositories with an explicit deny in a service control policy
Access denied due to a VPC endpoint policy
-
Implicit denial: For the following error, check for a missing
Allow
statement forcodecommit:ListRepositories
in your Virtual Private Cloud (VPC) endpoint policies.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codecommit:ListRepositories because no VPC endpoint policy allows the codecommit:ListRepositories action
-
Explicit denial: For the following error, check for an explicit
Deny
statement forcodecommit:ListDeployments
in your VPC endpoint policies.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codedeploy:ListDeployments on resource: arn:aws-cn:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in a VPC endpoint policy
Access denied due to a permissions boundary
-
Implicit denial: For the following error, check for a missing
Allow
statement forcodecommit:ListDeployments
in your permissions boundary.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codedeploy:ListDeployments on resource: arn:aws-cn:codedeploy:us-east-1:123456789012:deploymentgroup:* because no permissions boundary allows the codedeploy:ListDeployments action
-
Explicit denial: For the following error, check for an explicit
Deny
statement forsagemaker:ListModels
in your permissions boundary.User: arn:aws-cn:iam::777788889999:user/JohnDoe is not authorized to perform: sagemaker:ListModels with an explicit deny in a permissions boundary
Access denied due to session policies
-
Implicit denial: For the following error, check for a missing
Allow
statement forcodecommit:ListRepositories
in your session policies.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codecommit:ListRepositories because no session policy allows the codecommit:ListRepositories action
-
Explicit denial: For the following error, check for an explicit
Deny
statement forcodecommit:ListDeployments
in your session policies.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codedeploy:ListDeployments on resource: arn:aws-cn:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in a sessions policy
Access denied due to resource-based policies
-
Implicit denial: For the following error, check for a missing
Allow
statement forsecretsmanager:GetSecretValue
in your resource-based policy.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: secretsmanager:GetSecretValue because no resource-based policy allows the secretsmanager:GetSecretValue action
-
Explicit denial: For the following error, check for an explicit
Deny
statement forsecretsmanager:GetSecretValue
in your resource-based policy.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws-cn:secretsmanager:us-east-1:123456789012:secret:* with an explicit deny in a resource-based policy
Access denied due to role trust policies
-
Implicit denial: For the following error, check for a missing
Allow
statement forsts:AssumeRole
in your role trust policy.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: sts:AssumeRole because no role trust policy allows the sts:AssumeRole action
-
Explicit denial: For the following error, check for a missing
Allow
statement forsts:AssumeRole
in your role trust policy.User: arn:aws-cn:iam::777788889999:user/JohnDoe is not authorized to perform: sts:AssumeRole with an explicit deny in the role trust policy
Access denied due to identity-based policies
-
Implicit denial: For the following error, check for a missing
Allow
statement forcodecommit:ListRepositories
in identity-based policies attached to userJohnDoe
.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codecommit:ListRepositories because no identity-based policy allows the codecommit:ListRepositories action
-
Explicit denial: For the following error, check for an explicit
Deny
statement forcodedeploy:ListDeployments
in identity-based policies attached to userJohnDoe
.User: arn:aws-cn:iam::123456789012:user/JohnDoe is not authorized to perform: codedeploy:ListDeployments on resource: arn:aws-cn:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in an identity-based policy
Access denied when a VPC request fails due to another policy
For the following error, check for an explicit Deny
statement for
SNS:Publish
in your SCPs.
User: arn:aws-cn:sts::111122223333:assumed-role/
role-name
/role-session-name
is not authorized to perform: SNS:Publish on resource: arn:aws-cn:sns:us-east-1:444455556666:role-name-2
with an explicit deny in a VPC endpoint policy transitively through a service control policy