amazon web services - Admin access to AWS console, but no access via CLI

Question

I use a few different acounts and keep all the credentials in ~/.aws/credentials. CLI works fine on all other accounts, so it's not a configuration issue. The only taht works is aws sts get-caller-identity.

The strange thing is that I belong to the Administrator group (as does everyone for now) and none of us have CLI access, despite having access keys and full Admin permissions.

I though it's because of MFA, but I use another account with MFA just fine through CLI. There's also this policy on the account (but it doesn't look restrictive?):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:ListAccountAliases",
        "iam:ListUsers",
        "iam:GetAccountSummary",
        "iam:GetAccountPasswordPolicy"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Sid": "AllowAllUsersToListAccounts"
    },
    {
      "Action": [
        "iam:ChangePassword",
        "iam:CreateLoginProfile",
        "iam:DeleteLoginProfile",
        "iam:GetLoginProfile",
        "iam:ListAccessKeys",
        "iam:UpdateLoginProfile",
        "iam:ListSigningCertificates",
        "iam:ListSSHPublicKeys",
        "iam:GetSSHPublicKey",
        "iam:UploadSSHPublicKey",
        "iam:DeleteSSHPublicKey"
      ],
      "Resource": [
        "arn:aws:iam::____________:user/${aws:username}"
      ],
      "Effect": "Allow",
      "Sid": "AllowIndividualUserToSeeAndManageTheirOwnAccountInformation"
    },
    {
      "Action": [
        "iam:ListVirtualMFADevices",
        "iam:ListMFADevices"
      ],
      "Resource": [
        "arn:aws:iam::____________:mfa/*",
        "arn:aws:iam::____________:user/${aws:username}"
      ],
      "Effect": "Allow",
      "Sid": "AllowIndividualUserToListTheirOwnMFA"
    },
    {
      "Action": [
        "iam:CreateVirtualMFADevice",
        "iam:RequestSmsMfaRegistration",
        "iam:FinalizeSmsMfaRegistration",
        "iam:EnableMFADevice",
        "iam:ResyncMFADevice"
      ],
      "Resource": [
        "arn:aws:iam::____________:mfa/${aws:username}",
        "arn:aws:iam::____________:user/${aws:username}"
      ],
      "Effect": "Allow",
      "Sid": "AllowIndividualUserToManageTheirOwnMFA"
    }
  ]
}

What could it be?

question from:https://stackoverflow.com/questions/65899296/admin-access-to-aws-console-but-no-access-via-cli

Answer 1

There is no concept of "no CLI access". The AWS CLI is a Python program that uses the AWS SDK for Python (boto3) to make API calls. Each API call is assessed individually when received by AWS.

The error message you provided is saying that the user is not allowed to list Amazon S3 buckets, which would be accurate because the policy you provided does not grant any permissions for Amazon S3.

The other error mentions an explicit deny -- so either it is not using the policy you have listed, or a Service control policy is in force, which is limiting the API calls that are permitted.