Troubleshooting: AWS API key is missing permission

In this topic:

    The following article provide information regarding troubleshooting AWS onboarding cloud account error: API key is missing permissions:


    This error indicates that there may be a permissions problem,
    It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.

    How to resolve this error

    1. Login to your AWS console (
    2. Click ‘Services’ and select the IAM service
    3. Click ‘Roles’ and search for the Role created for Dome9 ( Usually 'Dome9-Connect' ).
    4. On the Role 'permissions' tab verify you have all the required polices
      1. SecurityAudit (AWS Managed policy) - mandatory policy
      2. AmazonInspectorReadOnlyAccess’ (AWS managed policy).  - mandatory policy (Required for AWS Inspector information).
      3. dome9-readonly-policy ( Created for Dome9 ) - mandatory policy
      4. dome9-write-policy ( Created for Dome9 ) - (Required for Full protection mode)a2.png

    5. If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.

    6. Now it would be better to verify the External ID on the Role - click on 'Trust relationships' tab.
    7. Verify the 'External ID' is the same as given on Dome9 console. ( Note - the 'External ID' must not be empty ).

    8. If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
    9. Copy the Role ARN again to Dome9 Console and the External ID.
    10. Click on Finish