Permission Error

[sikongwuying]

I am certain that my provided User has the account: ListRegions permission and the user is in master account, but when executing dph -- list account all -- export format HTML Excel JSON - lq s3_external.accessreorg'boundary, there is always an error saying that I do not have permission: is not authorized to perform: account: ListRegions (The management account can only be managed using the standalone context from the management account)

Similar ones include finds iam aa external access org boundary, findings sh external access org boundary.

Other requests did not encounter similar errors.

[ach-mk]

Hello @sikongwuying ,

Thanks for reporting this issue. I have been able to reproduce this issue on my end.

The tool uses the API ListRegions to list the available Regions and then discover existing AWS IAM Access Analyzer external access analyzers. This explains why you are observing this issue for queries that are tied to IAM Access Analyzer findings.

The root-cause is that the API ListRegions, when performed from the management account, should not take the parameter AccountId. The documentation states The management account can't specify its own AccountId. I just updated the code to manage situations where your CLI profile belongs to the management account.

However, the best practice is to use the management account only for tasks that require the management account. I would recommend to use the tool from a security tooling account.

Please pull the latest release and try again your queries, let us know if you have any additional questions.