Error: "AccessDeniedException" - Amazon Resource Access Manager
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Error: "AccessDeniedException"

Scenario

You get an Access Denied exception when trying to share a resource or view a resource share.

Cause

You can receive this error if you attempt to create a resource share when you don't have the required permissions. This can be caused by insufficient permissions in policies attached to your Amazon Identity and Access Management (IAM) principal. It can also happen because of restrictions in place from an Amazon Organizations service control policy (SCP) that affects your Amazon Web Services account.

Solution

To provide access, add permissions to your users, groups, or roles:

To resolve the error, you need to ensure the permissions are granted by Allow statements in the permission policy used by the principal that makes the request. In addition, the permissions must not be blocked by your organization’s SCPs.

To create a resource share, you need the following two permissions:

  • ram:CreateResourceShare

  • ram:AssociateResourceShare

To view a resource share, you need the following permission:

  • ram:GetResourceShares

To attach permissions to a resource share, you need the following permission:

  • resourceOwningService:PutPolicyAction

    This is a placeholder. You must replace it with the "PutPolicy" permission (or equivalent) for the service that owns the resource that you want to share. For example, if you are sharing a Route 53 resolver rule, then the required permission would be: route53resolver:PutResolverRulePolicy. If you want to allow the creation of a resource share that contains multiple resource types, then you must include the relevant permission for each resource type that you want to permit.

The following example shows what such an IAM permission policy might look like.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:CreateResourceShare", "ram:AssociateResourceShare", "ram:GetResourceShares", "resourceOwningService:PutPolicyAction" ], "Resource": "*" } ] }