403 on UpdateHoursOfOperationCommand

[marknigh]

Checkboxes for prior research

• [X] I've gone through Developer Guide and API reference
• [X] I've checked AWS Forums and StackOverflow.
• [X] I've searched for previous similar issues and didn't find any solution.

Describe the bug

I'm developing a vue3 SPA with vite and quasar. I using aws-amplify with cognito.

I am receiving the following error on UpdateHoursOfOperationCommand.

403: User: arn:aws:sts::844527799542:assumed-role/amplify-mypersonalamazonconn-dev-150417-authRole/CognitoIdentityCredentials is not authorized to perform: connect: on resource: with an explicit deny

With the same credentials, both ListHoursOfOperationsCommand and DescribeHoursofOperationsCommand issues correctly.

The amplify-mypersonalamazonconn-dev-150417-authRole IAM role has the AmazonConnect_FullAccess policy assigned.

SDK version number

@aws-sdk/client-connect@^3.370.0

Which JavaScript Runtime is this issue in?

Browser

Details of the browser/Node.js/ReactNative version

Browsers: Chrome: 114.0.5735.248 Edge: Spartan (44.19041.1266.0), Chromium (115.0.1901.183) Internet Explorer: 11.0.19041.1566

Reproduction Steps

Code Snippet:

Code Snippet (Vue3 SPA). const credentials = { accessKeyId: .accessKeyId, secretAccessKey: .secretAccessKey, sessionToken: *.sessionToken }

const client = new ConnectClient({ region: 'us-east-1', credentials })

const input = { InstanceId: instanceId, HoursOfOperationId: hoursOfOperation.value.HoursOfOperationId, Config: [hoursOfOperation.value.Config] }

const command = new UpdateHoursOfOperationCommand(input)

try { const response = await client.send(command) console.log(response) } catch (error) { console.log('Error saving Hours Of Operation Data: ', error) }

Observed Behavior

403: User: arn:aws:sts::844527799542:assumed-role/amplify-mypersonalamazonconn-dev-150417-authRole/CognitoIdentityCredentials is not authorized to perform: connect: on resource: with an explicit deny

Expected Behavior

Since the IAM role has AmazonConnect_FullAccess Policy, I expected that I can update the Hours Of Operation within Connect.

Here is the JSON of the policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "connect:", "ds:CreateAlias", "ds:AuthorizeApplication", "ds:CreateIdentityPoolDirectory", "ds:DeleteDirectory", "ds:DescribeDirectories", "ds:UnauthorizeApplication", "firehose:DescribeDeliveryStream", "firehose:ListDeliveryStreams", "kinesis:DescribeStream", "kinesis:ListStreams", "kms:DescribeKey", "kms:ListAliases", "lex:GetBots", "lex:ListBots", "lex:ListBotAliases", "logs:CreateLogGroup", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "lambda:ListFunctions", "ds:CheckAlias", "profile:ListAccountIntegrations", "profile:GetDomain", "profile:ListDomains", "profile:GetProfileObjectType", "profile:ListProfileObjectTypeTemplates" ], "Resource": "" }, { "Effect": "Allow", "Action": [ "profile:AddProfileKey", "profile:CreateDomain", "profile:CreateProfile", "profile:DeleteDomain", "profile:DeleteIntegration", "profile:DeleteProfile", "profile:DeleteProfileKey", "profile:DeleteProfileObject", "profile:DeleteProfileObjectType", "profile:GetIntegration", "profile:GetMatches", "profile:GetProfileObjectType", "profile:ListIntegrations", "profile:ListProfileObjects", "profile:ListProfileObjectTypes", "profile:ListTagsForResource", "profile:MergeProfiles", "profile:PutIntegration", "profile:PutProfileObject", "profile:PutProfileObjectType", "profile:SearchProfiles", "profile:TagResource", "profile:UntagResource", "profile:UpdateDomain", "profile:UpdateProfile" ], "Resource": "arn:aws:profile:::domains/amazon-connect-" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::amazon-connect-" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": "arn:aws:servicequotas:::connect/" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "", "Condition": { "StringEquals": { "iam:AWSServiceName": "connect.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:DeleteServiceLinkedRole", "Resource": "arn:aws:iam:::role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam:::role/aws-service-role/profile.amazonaws.com/", "Condition": { "StringEquals": { "iam:AWSServiceName": "profile.amazonaws.com" } } } ] }

Possible Solution

No response

Additional Information/Context

No response

[marknigh]

My apologies, my input was incorrect formatted. the variable that I was passing into the Config key was an array and wrapped it in an array thus an incorrect format. I didn't think I would receive a 403 but rather a incorrect request body error. I am closing this out.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.