Issue: Test Credentials, Add workload, or Discover workload actions for a source Linux workload fails with the following error: Show
Access denied. The root credentials provided cannot be used to connect to the server <source-Linux-workload-IP-address>. Please ensure that the password is correct, and that root has not been blocked from using SSH. Workaround: Access can be denied for SSH connections if the key algorithm or ciphers settings in the /etc/ssh/sshd_config file on the source Linux workload are missing or are incompatible with the settings used by Migrate server.
See also the following related KB Articles:
Why am I getting an Access Denied error message when I upload files to my Amazon S3 bucket that has AWS KMS default encryption?Last updated: 2022-05-12 My Amazon Simple Storage Service (Amazon S3) bucket has AWS Key Management Service (AWS KMS) default encryption. I'm trying to upload files to the bucket, but Amazon S3 returns an Access Denied error message. How can I fix this? ResolutionFirst, confirm:
Then, update the AWS KMS permissions of your IAM user or role based on the error message that you receive. Important:
"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action. Follow these steps to add permission for kms:GenerateDataKey: 1. Open the IAM console. 2. Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket. 3. In the Permissions tab, expand each policy to view its JSON policy document. 4. In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the user or role has permissions for the kms:GenerateDataKey action on the bucket's AWS KMS key. 5. If this permission is missing, then add the permission to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console). 6. In the JSON policy documents, look for statements with "Effect": "Deny". Confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey action on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies. "An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied"This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey and kms:Decrypt actions. Follow these steps to add permissions for kms:GenerateDataKey and kms:Decrypt: 1. Open the IAM console. 2. Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket. 3. In the Permissions tab, expand each policy to view its JSON policy document. 4. In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the role has permissions for kms:GenerateDataKey and kms:Decrypt on the bucket's AWS KMS key. 5. If these permissions are missing, then add the permissions to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console). 6. In the JSON policy documents, look for statements with "Effect": "Deny". Then, confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey and kms:Decrypt actions on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies. Did this article help? Do you
need billing or technical support? AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more » |