The following article provide information regarding troubleshooting AWS onboarding cloud account error: API key is missing permissions:
This error indicates that there may be a permissions problem,
It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.
How to resolve this error
- Login to your AWS console (aws.amazon.com)
- Click ‘Services’ and select the IAM service
- Click ‘Roles’ and search for the Role created for Dome9 ( Usually 'Dome9-Connect' ).
- On the Role 'permissions' tab verify you have all the required polices
- SecurityAudit (AWS Managed policy) - mandatory policy
- ’AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).
- dome9-readonly-policy ( Created for Dome9 ) - mandatory policy
- dome9-write-policy ( Created for Dome9 ) - (Required for Full protection mode)
- If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.
- Now it would be better to verify the External ID on the Role - click on 'Trust relationships' tab.
- Verify the 'External ID' is the same as given on Dome9 console. ( Note - the 'External ID' must not be empty ).
- If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
- Copy the Role ARN again to Dome9 Console and the External ID.
- Click on Finish