I am performing an operation on Amazon Service Location geo:SearchPlaceIndexForText.
It works properly in local env but as soon as I am performing the same operation in another Aws account I am getting this error:
com.amazonaws.services.location.model.AccessDeniedException: User: arn:aws:iam::XXXXXXXXX:user/user-name
is not authorized to perform:geo:SearchPlaceIndexForText on resource:
arn:aws:geo:us-east-1:XXXXXXXXX:place-index/HerePlaceIndex with an explicit
deny (Service: AmazonLocation; Status Code: 403; Error Code: AccessDeniedException; Request
ID: 7df8b5bc-3033-4cb9-8fd0-sli98n7c9; Proxy: null)
Not sure why the same operation is working in locally and not in another Aws account.
The policy attached to the user-name role is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"geo:*"
],
"Resource": "*"
}
]
}
PS: My application is deployed in AWS Account A and I am trying to access the Location Service response from Aws Account B while calling the API from Aws Account A
Amazon Location Service is not allowing Resource-based Policy.
Hence, in order to use Amazon Location Service API's we need the resource in the same Aws account.
Previously I was calling the Location Service API to retrieve the response from a different Aws account while sending the request from a different Aws account (Where the application is deployed).
Now I am utilizing the Location Service available in the same account where the application is deployed.