I have a user group Administrators with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
My currently logged-in CLI user is part of this group; I've verified by running aws iam get-user and comparing the ARN with what I have in the web console.
Somehow there's a lot of CLI commands for which I get denied, e.g.
$ aws iam list-groups
An error occurred (AccessDenied) when calling the ListGroups operation: User: arn:aws:iam::675072143536:user/carl is not authorized to perform: iam:ListGroups on resource: arn:aws:iam::675072143536:group/ with an explicit deny
How can I perform this command?
You either have an attached policy, SCP or Permission Boundary in place that explicitly denies that operation. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html .
You may be able to inspect the policy, boundary or SCP in the IAM console or need to ask someone with more permissions / control over your account for more details as to why they are there and how to possibly get permission to go around them. Right now you are not allowed to perform that command.