Support Center > Search Results > SecureKnowledge Details
CloudGuard Dome9 AWS API key is missing permission Technical Level
  • AWS API key is missing permission The following article provide information regarding troubleshooting AWS onboarding cloud account error: API key is missing permissions:


This error indicates that there may be a permissions problem.
It can indicate that the AWS IAM Role is missing a mandatory policy, or that the "External ID" is different from the "External ID" given to the AWS IAM Role.


How to resolve this error

  1. Login to your AWS console (
  2. Click ‘Services’ and select the IAM service
  3. Click ‘Roles’ and search for the Role created for CloudGuard Dome9 ( Usually 'CloudGuard Dome9-Connect' ).
  4. On the Role 'permissions' tab verify you have all the required polices
    1. SecurityAudit (AWS Managed policy) - mandatory policy
    2. ’AmazonInspectorReadOnlyAccess’ (AWS managed policy). - mandatory policy (Required for AWS Inspector information).
    3. CloudGuard Dome9-readonly-policy ( Created for CloudGuard Dome9 ) - mandatory policy
    4. CloudGuard Dome9-write-policy ( Created for CloudGuard Dome9 ) - (Required for Full protection mode)

  5. If any of the required polices is not attached, use the attach Policy button in order to attach the missing policies.

  6. Now it would be better to verify the External ID on the Role - click on 'Trust relationships' tab.
  7. Verify the 'External ID' is the same as given on CloudGuard Dome9 console. ( Note - the 'External ID' must not be empty ).

  8. If the External ID is empty or needs to be modified click on Edit trust relationship and correct it as required.
  9. Copy the Role ARN again to CloudGuard Dome9 Console and the External ID.
  10. Click on Finish

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document