Permission denied when using AWS SSO login

[gugaiz]

Hi, I am trying to list the clusters using AWS SSO login but I am getting

fetching available clusters...
An error occurred (AccessDeniedException) when calling the ListClusters operation: User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/AWSReservedSSO_AWSAdministratorAccess_e3234234ad22342342/user is not authorized to perform: ecs:ListClusters on resource: * with an explicit deny in a service control policy

As you can see, my user has administrator access.

[morph027]

Hm, with an explicit deny in a service control policy sounds like even if you're admin user, some policy could still deny actions.

[gugaiz]

I guess it is something related with the script itself, because if I use the command:

aws ssm start-session --target ecs:<cluster>_<task_id>_<container_id> --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["80"], "localPortNumber":["8080"]}' --profile aws-staging-profile

it works

[morph027]

Will try to replicate, just need to setup a SSO provider for my test account.

[morph027]

Okay, just setup the SAML connection within IAM Identity Center, mapped a SSO user to a permission set w/ administrator access and it just worked for me using the CLI SSO profile. Not sure, how i can debug further.

[Andrwe]

I tested the setup too and you can reproduce the error message only by creating a service control policy that denies ListClusters[1]. That way even a user with AWS managed role AdministratorAccess will not be able to list clusters. 1) To check if that is the case, @gugaiz can you please run aws ecs list-clusters and check what is returned by this command? 2) @gugaiz can you also try running ecs-juggle --cluster "cluster-name" command (maybe add --profile if needed) and check the result of that command? (It should give you the list of available services within the cluster and allow you to proceed.)

@morph027 we could catch this error when collecting the clusters in [2] and print a more explainable message.

[1]

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Deny",
      "Action": [
        "ecs:ListClusters"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

[2] https://github.com/morph027/aws-ssm-juggle/blob/main/aws_ssm_juggle/ecs.py#L183

[gugaiz]

Hi, thanks for the feedback

1 - I ran aws ecs list-clusters --profile staging and I listed all my clusters on the staging account 2 - I found the issue... it was trying to list resources on region eu-central-1 by default when the profile was setup to default to region us-east-2. By forcing the region to us-east-2 (with --region us-east-2) it started to work.

Thanks

[morph027]

Glad it works :+1:

@Andrwe Jip, sounds good, will add this. Adding the mandatory region hint too might help preventing similar issues in the future :grin:

[morph027]

Just had a quick peek at the code, there is a generic exception for the main cli in https://github.com/morph027/aws-ssm-juggle/blob/main/aws_ssm_juggle/ecs.py#L326 ....