Support Center > Search Results > SecureKnowledge Details
CloudGuard AWS API key is missing permission Technical Level
  • AWS API key is missing permission The following article provide information regarding troubleshooting AWS onboarding cloud account error: API key is missing permissions:


This error indicates that there may be a permissions problem.
It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.


How to resolve this error

  1. Log in to your AWS console (
  2. Click ‘Services’ and select the IAM service
  3. Click ‘Roles’ and search for the Role created for CloudGuard (usually 'CloudGuard Dome9-Connect' ).
  4. On the Role 'permissions' tab verify you have all the required polices
    1. SecurityAudit (AWS Managed policy) - mandatory policy
    2. AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).
    3. CloudGuard Dome9-readonly-policy (created for CloudGuard) - mandatory policy
    4. CloudGuard Dome9-write-policy (created for CloudGuard) - (Required for Full protection mode)

  5. If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.

  6. Verify the External ID on the Role - click 'Trust relationships' tab.
  7. Verify the 'External ID' is the same as given on CloudGuard console. (Note - the 'External ID' must not be empty ).

  8. If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
  9. Copy the Role ARN again to CloudGuard console and the External ID.
  10. Click Finish

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document