question

Samuel Joshi avatar image
Samuel Joshi asked

AWS Insufficient Permissions error through Alexa skills

Hi all,

I would like to store data onto Amazons DynamoDB or S3 storage for my Alexa skill. When I enter the S3 storage I get this permission error.

1647955167307.png

When I sign into AWS, as a root user, I am able to make admin changes in the IAM dashboard. However, when I sign into Amazons Developer Console and access the IAM dashboard, still as a root user, I get permission errors.

1647955510183.png


Please note:

When I access the S3 storage through AWS account, my profile username is Samuel. Here I can make the necessary permission changes.

When I access the S3 storage through my Alexa skill, my profile username is not Samuel instead it is called "VoiceHubSSORole/VoiceHubSSORole" with a different account number. Here I get blocked and the permission error appears.


If anyone can help me, it would be much appreciated.


Kind regards,

Samuel


alexa skills kitalexaalexa skillspermissions
1647955167307.png (42.0 KiB)
1647955510183.png (22.3 KiB)
1 comment
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Sammy avatar image Sammy commented ·

Hi Samuel, did you ever resolve your original permissions problem? I'm having the same issue in debugging an Alexa skill in the dev console and in this case clicking the CloudWatch icon which opens a new window. Originally it was working fine for several days but starting yesterday I'm getting an access denied error (see attached image) apparently related to the user not being me but a 'Federated' role called VoiceHubSSORole as you mentioned in your writeup. It's not clear to me how exactly to resolve this in IAM and also which account to use since it seems they hold the AWS area apart from the Alexa dev login, and I haven't quite made sense of it all yet.

CloudWatch access error cropped.jpg


0 Likes 0 ·
cloudwatch-access-error-cropped.jpg (52.0 KiB)

1 Answer

Andy Whitworth avatar image
Andy Whitworth answered

Sounds like you're using an Alexa hosted skill with that ....SSO.... username. If you want to access personal AWS resources from an Alexa hosted skill then Amazon have the following guide for you:

https://developer.amazon.com/en-US/docs/alexa/hosted-skills/alexa-hosted-skills-personal-aws.html

8 comments
10 |5000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Samuel Joshi avatar image Samuel Joshi commented ·

Hi @Andy Whitworth ,

I have followed the guide that you have sent me but unfortunately, the permission error keeps appearing.

These are the permissions I have given to that "SSO" account.

1648121507959.png

I did notice that Amazon automatically assigns me to the "us-east-1" area when I should actually be in the "eu-west-2" area.

1648121773703.png

I look forward to hearing from you.

Kind regards,


Samuel

0 Likes 0 ·
1648121507959.png (89.3 KiB)
Andy Whitworth avatar image Andy Whitworth Samuel Joshi commented ·
Hi Samuel,

Can you clarify exactly what you're looking to do as I'm not 100% sure.

A few questions...

1. Is the S3 storage you're looking to use your own S3 bucket associated to your personal AWS login, or one which comes with Alexa hosted skills ?

2. How are you looking to use that storage in your Alexa skill ? Are you reading from it, writing to it, or both ?

3. Is your skill an Alexa hosted skill ?


Andy.

0 Likes 0 ·
Samuel Joshi avatar image Samuel Joshi Andy Whitworth commented ·

Hi @Andy Whitworth ,

I have created an Alexa skill. Through the Alexa skill, I would like to use the S3 storage.

Q1. The S3 storage that I am looking to use comes from the Alexa hosted skill. The bucket that gets created when you create an Alexa skill. This is where the permissions error appears.

Q2. Read & write.

I would like to store data about the user (create a user table) and store data from an external API. I would then like to read the data from the S3 bucket.

Q3. Yes, that is correct. I am using Amazons developer console to code.


0 Likes 0 ·
Show more comments