External account creation fails with unable to detect the policy and access to services error

External account creation fails with unable to detect the policy and access to services error

0
Created On 09/26/18 19:13 PM - Last Modified 07/19/22 23:12 PM


Symptom


Symptoms

External account creation fails with the following error messages:

"We were able to assume role, but are unable to detect the policy and access to services. Please make sure you have given us iam:ListAttachedRolePolicies access, and read access to the services you would like us to check."

 

Diagnosis

Examine the Evident-Service-Role's policy, and make sure the role can perform following actions:

  1. iam:ListRoles
  2. iam:ListRolePolicies (on Evident-Service-Role)
  3. iam:ListAttachedRolePolicies (on Evident-Service-Role)
  4. iam:GetRolePolicy (on all of Evident-Service-Role's inline policies)
  5. iam:GetPolicy (on all of Evident-Service-Role's inline policies)
  6. iam:GetPolicyVersion (on all of Evident-Service-Role's managed policies)

AWS SecurityAudit contains all of the above permissions.  If your Evident-Service-Role has SecurityAudit role attached, then there must be another role or policy with a statement that is explicitly denying one or more permissions listed above.

Resolution


Modify Evident-Service-Role's policies to allow the actions listed above.  If applicable, remove all roles and policies attached to Evident-Service-Role, except for AWS SecurityAudit role.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3XCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail