aws-vault: rotate fails "resource: user null"

I’ve got the default MFA policy in place http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html

$ aws-vault rotate iam
Rotating credentials for profile "iam"
aws-vault: error: Failed to get credentials for yopa-iam: AccessDenied: User: arn:aws:iam::ACCOUNTIDXX:user/fernando is not authorized to perform: iam:CreateAccessKey on resource: user null with an explicit deny
	status code: 403, request id: 369d63a9-ce02-11e7-b933-XXXX

where’s the cloudtrail via webconsole

{
    "eventVersion": "1.02",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAJH5XXXXX",
        "arn": "arn:aws:iam::ACCOUNTID:user/fernando",
        "accountId": "ACCOUNTID",
        "accessKeyId": "ASIAJOY2JEXCDVJPJ5MQ",
        "userName": "fernando",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "true",
                "creationDate": "2017-11-20T13:43:37Z"
            }
        },
        "invokedBy": "signin.amazonaws.com"
    },
    "eventTime": "2017-11-20T14:47:37Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateAccessKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XXX",
    "userAgent": "signin.amazonaws.com",
    "requestParameters": {
        "userName": "fernando"
    },
    "responseElements": {
        "accessKey": {
            "accessKeyId": "AKIAJQXXXX",
            "status": "Active",
            "userName": "fernando",
            "createDate": "Nov 20, 2017 2:47:37 PM"
        }
    },
    "requestID": "c0324aa8-XXX",
    "eventID": "dde48dff-XXX",
    "eventType": "AwsApiCall",
    "recipientAccountId": "ACCOUNTID"
}

and here a cloudtrail fail from aws-vault

{
    "eventVersion": "1.02",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDAJH5XXXXX",
        "arn": "arn:aws:iam::ACCOUNTID:user/fernando",
        "accountId": "ACCOUNTID",
        "accessKeyId": "AKIAIFEMDDNT7Y2CH7GQ",
        "userName": "fernando"
    },
    "eventTime": "2017-11-20T14:46:36Z",
    "eventSource": "iam.amazonaws.com",
    "eventName": "CreateAccessKey",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XXX",
    "userAgent": "aws-sdk-go/1.4.14 (go1.9.1; darwin; amd64)",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:iam::ACCOUNTID:user/fernando is not authorized to perform: iam:CreateAccessKey on resource: user null with an explicit deny",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "9c33aa49-XXX",
    "eventID": "9345567c-XXX",
    "eventType": "AwsApiCall",
    "recipientAccountId": "ACCOUNTID"
}

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 44

Most upvoted comments

🤔

The fact then that it didn’t ask you for an MFA is perplexing. Perhaps that is the issue. Let me investigate.

+1
lox on Jan 26, 2018
Read more comments on GitHub
← aws-vault: Key rotation: documentation and/or bug
aws-vault: secret-service gets: No such interface “org.freedesktop.DBus.Properties” →