Not authorized to perform: arsenal:RegisterOnPremisesAgent - no identity-based policy allows the arsenal:RegisterOnPremisesAgent
After installing the AWS Application Discovery Agent on a Ubuntu Server the agent daemon logs are failing with the following message:
2022-08-20 03:23:54 info [0xf71a4d88] Attempting registration for on premises agent with agentId: and agentVersion: 2.0.2042.0
2022-08-20 03:23:54 info [0xf71a4d88] Arsenal endpoint is "https://arsenal-discovery.us-east-1.amazonaws.com".
2022-08-20 03:23:55 info [0xf71a4d88] Registration failed.; User: arn:aws:iam::000000000000:user/Migrator is not authorized to perform: arsenal:RegisterOnPremisesAgent on resource: * because no identity-based policy allows the arsenal:RegisterOnPremisesAgent action( AccessDeniedException = 15 ) at ArsenalController.cpp; UnpackRegisterResult; line 321
2022-08-20 03:23:55 info [0xf71a4d88] Failure communicating with Arsenal.
2022-08-20 03:23:55 info [0xf71a4d88] Caught an exception of type 13CAWSException; what= Registration failed.; User: arn:aws:iam::000000000000:user/Migrator is not authorized to perform: arsenal:RegisterOnPremisesAgent on resource: * because no identity-based policy allows the arsenal:RegisterOnPremisesAgent action( AccessDeniedException = 15 ) at ArsenalController.cpp; UnpackRegisterResult; line 321; caught at ArsenalController.cpp; CallArsenal; line 885
Such logs are kept at /var/log/aws/discovery/ within the Ubuntu Server in which the agent is installed. I'll provide details and steps on how I'm getting into this error.
Following AWS Application Discovery documentation, I've attached these managed policies to my migration role:
Here are the commands I'm using:
aws iam create-user --user-name 'Migrator'
aws iam create-role --role-name 'MigrationRole' --assume-role-policy-document 'file://trust-policy.json'
aws iam attach-role-policy --policy-arn 'arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess' --role-name 'MigrationRole'
aws iam attach-role-policy --policy-arn 'arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess' --role-name 'MigrationRole'
The trust relationship document trust-policy.json is this one:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000000:user/Migrator"
},
"Action": "sts:AssumeRole"
}
]
}
The documentation is clear in which the managed policy AWSApplicationDiscoveryAgentAccess adds permissions to Arsenal agent registration:
This policy also grants the user access to Arsenal. Arsenal is an agent service that is managed and hosted by AWS. Arsenal forwards data to Application Discovery Service in the cloud.
Indeed, we can confirm looking in the policy associations attached to my role that permission arsenal:RegisterOnPremisesAgent is allowed:
I'm installing the agent using these commands, also referenced from the documentation:
sudo apt update
sudo apt upgrade -y
curl -o ./aws-discovery-agent.tar.gz https://s3-us-west-2.amazonaws.com/aws-discovery-agent.us-west-2/linux/latest/aws-discovery-agent.tar.gz
tar -xzf aws-discovery-agent.tar.gz
sudo bash install -r us-east-1 -k ABCDEFABCDEFABCDEFAB -s ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCD
For sanity check I've added AdministratorAccess to the role but the problem persists.
Ok just figured this one out.
I was doing an incorrect attachment to the role which was not delegating the permissions to the user identity.
I switched to a group attachment and the agent started to work immediately:
aws iam create-group --group-name MigrationGroup
aws iam add-user-to-group --user-name Migrator --group-name MigrationGroup
aws iam attach-group-policy --policy-arn 'arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess' --group-name 'MigrationGroup'
aws iam attach-group-policy --policy-arn 'arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess' --group-name 'MigrationGroup'
And the permissions are now visible in the user registry:
