External account creation fails with unable to detect the policy and access to services error
External account creation fails with unable to detect the policy and access to services error
0
Created On 09/26/18 19:13 PM - Last Modified 07/19/22 23:12 PM
Symptom
Symptoms
External account creation fails with the following error messages:
"We were able to assume role, but are unable to detect the policy and access to services. Please make sure you have given us iam:ListAttachedRolePolicies access, and read access to the services you would like us to check."
Diagnosis
Examine the Evident-Service-Role's policy, and make sure the role can perform following actions:
iam:ListRoles
iam:ListRolePolicies (on Evident-Service-Role)
iam:ListAttachedRolePolicies (on Evident-Service-Role)
iam:GetRolePolicy (on all of Evident-Service-Role's inline policies)
iam:GetPolicy (on all of Evident-Service-Role's inline policies)
iam:GetPolicyVersion (on all of Evident-Service-Role's managed policies)
AWS SecurityAudit contains all of the above permissions. If your Evident-Service-Role has SecurityAudit role attached, then there must be another role or policy with a statement that is explicitly denying one or more permissions listed above.
Resolution
Modify Evident-Service-Role's policies to allow the actions listed above. If applicable, remove all roles and policies attached to Evident-Service-Role, except for AWS SecurityAudit role.