Or how broken is the tooling for IAM + S3 + other services (for example Athena and Glue).
Several times I had to explain to support that we do not want s3:* anywhere in our infra because they insisted that is the easiest solution so they do not need to waste their precious (paid by us) time on figuring out which exact permission is missing that I as a customer have no way of figuring out.
Many of us working on cloud infra for 10+ years and we still struggle some times to set up especially new services.
I really like how you conclude that this is somehow the customer's fault. I find it entertaining how the decent support staff of amazon admits that the tooling is subpar, because they got a different system internally to check out why S3 throwing a 403. As a customer we do not have anything just the API.
And no, this is not because the customers are dumb. I can't wait the moment when AWS has to actually compete with other cloud providers because this arrogance has to go.
This. The tooling and error messaging around IAM is inconsistent and lacking. I’ve even seen AWS support be completely wrong about why IAM is denying something, so I am guessing their internal tooling isn’t much better.
I caught on the fact that they have much more finely grained logging than the users do (e.g. underlying specific access denied errors which are covered by a generic one users get), and sometimes report what they see there, with no consideration on the effect on the users. You can sometimes get some details on how the services work underneath.
It happened several times with Glue mentioned by the user two replies above (usually schema registry which requires *s in resource element of the policies to work).
Or how broken is the tooling for IAM + S3 + other services (for example Athena and Glue).
Several times I had to explain to support that we do not want s3:* anywhere in our infra because they insisted that is the easiest solution so they do not need to waste their precious (paid by us) time on figuring out which exact permission is missing that I as a customer have no way of figuring out.
Many of us working on cloud infra for 10+ years and we still struggle some times to set up especially new services.
I really like how you conclude that this is somehow the customer's fault. I find it entertaining how the decent support staff of amazon admits that the tooling is subpar, because they got a different system internally to check out why S3 throwing a 403. As a customer we do not have anything just the API.
And no, this is not because the customers are dumb. I can't wait the moment when AWS has to actually compete with other cloud providers because this arrogance has to go.