I have read-only access to Amazon Cloudwatch. I have aws_access_key_id, and aws_secret_access_key in terms of credentials. I tried running the code below, but it is throwing an AccessDenied error. What did I do wrong? Also, what services or methods I can explore with read-only access to Amazon Cloudwatch? Code:
import boto3
cloudwatch = boto3.client('cloudwatch')
# List alarms of insufficient data through the pagination interface
paginator = cloudwatch.get_paginator('describe_alarms')
for response in paginator.paginate(StateValue='INSUFFICIENT_DATA'):
print(response['MetricAlarms'])
Error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the DescribeAlarms operation: User: arn:aws:iam::996323886532:user/XxxXx is not authorized to perform: cloudwatch:DescribeAlarms on resource: arn:aws:cloudwatch:eu-central-1:996323886532:alarm:* because no identity-based policy allows the cloudwatch:DescribeAlarms action
The error message is self explanatory. You dont have cloudwatch:DescribeAlarms permission in your attached policy.
Regarding what actions you can perform, if you are using the managed policy cloudwatch read-only, check the respective permission listed in this link.
For.e.g the aws cloudwatch readOnly policy has cloudwatch:List*" so you can perform ListMetrics or ListMetricStreams.
If you are using a custom policy / Role, You can check the permissions in your IAM section of your account.