Search code examples
amazon-web-servicesamazon-iamamazon-workspaces

AWS Workspaces - Unable to provide Console Access to IAM user

I want an IAM user to have read/List access and start/stop access to AWS workspaces. Hence I've created a simple IAM policy which grants all read and list actions. Workspaces

but this was not enough. I was displayed with an error message An Error Has Occurred There was an error retrieving information about your WorkSpaces. Upon investigating cloudtrail, I found that the user need read/list permissions to KMS and AWSDirectory Service. Hence granted that too but when I login again, I still see the same error. Even tried attaching EC2 full access too but still the same error. Is this a potential bug? The same issue has been discussed in AWS forum too but no resolution there. https://forums.aws.amazon.com/thread.jspa?threadID=236408

KMS policy and Directory service policy below.

DS: Directory-Service

KMS: KMS

Error Screenshot: Error

Solution

  • I've found the solution for this. AWS has bizarre limitation where if you want to access workspaces via console, then you need to give full access (workspaces:*) only. Below is a screenshot from the document that states this. Highly disappointed with AWS regarding this limitation. https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html enter image description here