Search code examples
amazon-web-servicesamazon-iamamazon-elbaws-policies

Error: error listing tags for SNS Topic while policy grants the permission for that arn

I have the below policy attached to user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action": [
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:DescribeTargetHealth",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetGroupAttributes",
            "elasticloadbalancing:DescribeLoadBalancerAttributes",
            "elasticloadbalancing:DescribeTargetGroupAttributes",
            "elasticloadbalancing:DescribeListeners",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeTags",
            "elasticloadbalancing:DeleteLoadBalancer",
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateRule",
            "elasticloadbalancing:DeleteListener",
            "elasticloadbalancing:DeleteRule",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:ModifyListener",
            "elasticloadbalancing:ModifyLoadBalancerAttributes",
            "elasticloadbalancing:ModifyRule",
            "elasticloadbalancing:ModifyTargetGroup",
            "elasticloadbalancing:ModifyTargetGroupAttributes",
            "elasticloadbalancing:RegisterTargets",
            "elasticloadbalancing:SetSecurityGroups"
        ],
        "Resource": [
            "arn:aws:elasticloadbalancing:ap-south-1:736855795947:loadbalancer/app/my-lb/*",
            "arn:aws:elasticloadbalancing:ap-south-1:736855795947:listener/app/my-lb/*/*",
            "arn:aws:elasticloadbalancing:ap-south-1:736855795947:targetgroup/my-target-group/*"
        ]
    },
    ]
}

Still I see the below error:

Error: error reading ELBv2 Target Group (arn:aws:elasticloadbalancing:ap-south-1:XXXXXXXXXXXX:targetgroup/my-target-group/55718775ec3196ff): AccessDenied: User: arn:aws:iam::XXXXXXXXXXXX:user/deploy_user is not authorized to perform: elasticloadbalancing:DescribeTargetGroups

I am not able to understand this behaviour.I see policies getting divided into ELB & ELB v2. All "Describe" permissions are coming under ELB v2. ELB v2 actions screenshot

Solution

  • Since DescribeTargetGroups doesn't support resource-level permissions, try using *:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:DescribeTargetGroups",
            "Resource": "*"
        }
    ]
}