Closed marknigh closed 1 year ago
My apologies, my input was incorrect formatted. the variable that I was passing into the Config key was an array and wrapped it in an array thus an incorrect format. I didn't think I would receive a 403 but rather a incorrect request body error. I am closing this out.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
Checkboxes for prior research
Describe the bug
I'm developing a vue3 SPA with vite and quasar. I using aws-amplify with cognito.
I am receiving the following error on UpdateHoursOfOperationCommand.
403: User: arn:aws:sts::844527799542:assumed-role/amplify-mypersonalamazonconn-dev-150417-authRole/CognitoIdentityCredentials is not authorized to perform: connect: on resource: with an explicit deny
With the same credentials, both ListHoursOfOperationsCommand and DescribeHoursofOperationsCommand issues correctly.
The amplify-mypersonalamazonconn-dev-150417-authRole IAM role has the AmazonConnect_FullAccess policy assigned.
SDK version number
@aws-sdk/client-connect@^3.370.0
Which JavaScript Runtime is this issue in?
Browser
Details of the browser/Node.js/ReactNative version
Browsers: Chrome: 114.0.5735.248 Edge: Spartan (44.19041.1266.0), Chromium (115.0.1901.183) Internet Explorer: 11.0.19041.1566
Reproduction Steps
Code Snippet:
Code Snippet (Vue3 SPA). const credentials = { accessKeyId: .accessKeyId, secretAccessKey: .secretAccessKey, sessionToken: *.sessionToken }
const client = new ConnectClient({ region: 'us-east-1', credentials })
const input = { InstanceId: instanceId, HoursOfOperationId: hoursOfOperation.value.HoursOfOperationId, Config: [hoursOfOperation.value.Config] }
const command = new UpdateHoursOfOperationCommand(input)
try { const response = await client.send(command) console.log(response) } catch (error) { console.log('Error saving Hours Of Operation Data: ', error) }
Observed Behavior
403: User: arn:aws:sts::844527799542:assumed-role/amplify-mypersonalamazonconn-dev-150417-authRole/CognitoIdentityCredentials is not authorized to perform: connect: on resource: with an explicit deny
Expected Behavior
Since the IAM role has AmazonConnect_FullAccess Policy, I expected that I can update the Hours Of Operation within Connect.
Here is the JSON of the policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "connect:", "ds:CreateAlias", "ds:AuthorizeApplication", "ds:CreateIdentityPoolDirectory", "ds:DeleteDirectory", "ds:DescribeDirectories", "ds:UnauthorizeApplication", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "kinesis:DescribeStream", "kinesis:ListStreams", "kms:DescribeKey", "kms:ListAliases", "lex:GetBots", "lex:ListBots", "lex:ListBotAliases", "logs:CreateLogGroup", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "lambda:ListFunctions", "ds:CheckAlias", "profile:ListAccountIntegrations", "profile:GetDomain", "profile:ListDomains", "profile:GetProfileObjectType", "profile:ListProfileObjectTypeTemplates" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "profile:AddProfileKey", "profile:CreateDomain", "profile:CreateProfile", "profile:DeleteDomain", "profile:DeleteIntegration", "profile:DeleteProfile", "profile:DeleteProfileKey", "profile:DeleteProfileObject", "profile:DeleteProfileObjectType", "profile:GetIntegration", "profile:GetMatches", "profile:GetProfileObjectType", "profile:ListIntegrations", "profile:ListProfileObjects", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "profile:MergeProfiles", "profile:PutIntegration", "profile:PutProfileObject", "profile:PutProfileObjectType", "profile:SearchProfiles", "profile:TagResource", "profile:UntagResource", "profile:UpdateDomain", "profile:UpdateProfile" ], "Resource": "arn:aws:profile:::domains/amazon-connect-" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::amazon-connect-" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:::connect/" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "", "Condition": { "StringEquals": { "iam:AWSServiceName": "connect.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:DeleteServiceLinkedRole", "Resource": "arn:aws:iam:::role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam:::role/aws-service-role/profile.amazonaws.com/", "Condition": { "StringEquals": { "iam:AWSServiceName": "profile.amazonaws.com" } } } ] }
Possible Solution
No response
Additional Information/Context
No response