Super Contributor.. Yroc Super Contributor..
Super Contributor..
943 views

OMi AWS Management pack error - Not Authorized to perform this operation

Jump to solution

We are getting the following error when trying to discover our AWS EC2 cloud.  I believe the user is missing the right EC2 policies, but I am not sure which ones are the correct ones for using this managment pack.  The user's guide does not say much about it.

... Error message: ...

ERROR: Gather: You are not authorized to perform this operation. (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: ....

FYI.. We have confirmed the keys are correct (key and private key).

 

Thanks in advance!

Cory

 

0 Likes
1 Solution

Accepted Solutions
Sultan Raja Super Contributor.
Super Contributor.

Re: OMi AWS Management pack error - Not Authorized to perform this operation

Jump to solution

Hello Cory,

The AWS Management Pack needs access to EC2 for discovering EC2 elements and cloud watch for fetching metrics.

 The below policies should be attached as minimum permissions for the given user.

--> AmazonEC2ReadOnlyAccess  (To discover EC2)
--> CloudWatchReadOnlyAccess  (To monitor EC2 instances via Cloudwatch)
--> IAMReadOnlyAccess              (To get the clound account id).

Regards,

Sultan.

 

 

Tags (4)
2 Replies
Sultan Raja Super Contributor.
Super Contributor.

Re: OMi AWS Management pack error - Not Authorized to perform this operation

Jump to solution

Hello Cory,

The AWS Management Pack needs access to EC2 for discovering EC2 elements and cloud watch for fetching metrics.

 The below policies should be attached as minimum permissions for the given user.

--> AmazonEC2ReadOnlyAccess  (To discover EC2)
--> CloudWatchReadOnlyAccess  (To monitor EC2 instances via Cloudwatch)
--> IAMReadOnlyAccess              (To get the clound account id).

Regards,

Sultan.

 

 

Tags (4)
Highlighted
Super Contributor.. Yroc Super Contributor..
Super Contributor..

Re: OMi AWS Management pack error - Not Authorized to perform this operation

Jump to solution

Yes, this worked.  We were able to use this for both the Management Pack and Sitescope integrations since they both use the AWS CloudWatch integraton. 

I found additional information on it here:

 

http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts.htm

  1. If you already have an AWS Identity and Access Management (IAM) role associated with your instance, make sure that it has permissions to perform the following operations:
    • cloudwatch:PutMetricData
    • cloudwatch:GetMetricStatistics
    • cloudwatch:ListMetrics
    • ec2:DescribeTags

Otherwise, you can create a new IAM role with permissions to perform CloudWatch operations and associate that role when you launch a new instance. For more information, see Controlling User Access to Your AWS Account.

  1. Optional: If you aren't using an IAM role, update thetemplate file that you downloaded earlier. The content of this file should use the following format:

AWSAccessKeyId=YourAccessKeyID

AWSSecretKey=YourSecretAccessKey

Note

This step is optional if you have already created a file for credentials. You can use an existing file by specifying its location on the command line when you call the scripts. Alternatively, you can set the environment variable AWS_CREDENTIAL_FILE to point to the file with your AWS credentials.

For instructions on how to access your credentials, see Creating, Modifying, and Viewing User Security Credentials in IAM User Guide.

 Thanks again Sultan Raja for pointing that out!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.