Failed to access remote file: access denied. please check your credentials

Issue: Test Credentials, Add workload, or Discover workload actions for a source Linux workload fails with the following error:

Access denied. The root credentials provided cannot be used to connect to the server <source-Linux-workload-IP-address>. Please ensure that the password is correct, and that root has not been blocked from using SSH.

Workaround: Access can be denied for SSH connections if the key algorithm or ciphers settings in the /etc/ssh/sshd_config file on the source Linux workload are missing or are incompatible with the settings used by Migrate server.

1. Verify the following are working correctly:

   • You correctly specified the source Linux workload’s IP address, user name, and password.

   • On the source Linux workload, the SSH service is enabled and running; and the firewall (if any) allows inbound SSH traffic on TCP port 22.

   • You can log in successfully to this Linux Workload as root user from a remote machine using an SSH client such as Putty.

2. On the source Linux workload, log in as the root user, then view the log file (/var/log/messages) or check the status of the SSH daemon (systemctl status sshd) to search for error messages for the Migrate server IP address.

3. Add or discover the source Linux workload again.

   1. Verify that Test Credential is successful.

   2. Verify that the workload is added successfully.

See also the following related KB Articles:

• Discovering Linux workload states access denied (KB 7018214)

• Linux discovery failure with access denied error (KB 7018128)

Why am I getting an Access Denied error message when I upload files to my Amazon S3 bucket that has AWS KMS default encryption?

Last updated: 2022-05-12

My Amazon Simple Storage Service (Amazon S3) bucket has AWS Key Management Service (AWS KMS) default encryption. I'm trying to upload files to the bucket, but Amazon S3 returns an Access Denied error message. How can I fix this?

Resolution

First, confirm:

• Your AWS Identity and Access Management (IAM) user or role has s3:PutObject permission on the bucket.
• Your AWS KMS key doesn't have an "aws/s3" alias. This alias can't be used for default bucket encryption if cross-account IAM principals are uploading the objects. For more information about AWS KMS keys and policy management, see Protecting data using server-side encryption with AWS Key Management Service (SSE-KMS).

Then, update the AWS KMS permissions of your IAM user or role based on the error message that you receive.

Important:

• If the AWS KMS key and IAM role belong to different AWS accounts, then the IAM policy and KMS key policy must be updated. Make sure to add the KMS permissions to both the IAM policy and KMS key policy.
• To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies.

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

Follow these steps to add permission for kms:GenerateDataKey:

1.    Open the IAM console.

2.    Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket.

3.    In the Permissions tab, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the user or role has permissions for the kms:GenerateDataKey action on the bucket's AWS KMS key.

5.    If this permission is missing, then add the permission to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).

6.    In the JSON policy documents, look for statements with "Effect": "Deny". Confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey action on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies.

"An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey and kms:Decrypt actions.

Follow these steps to add permissions for kms:GenerateDataKey and kms:Decrypt:

1.    Open the IAM console.

2.    Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket.

3.    In the Permissions tab, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the role has permissions for kms:GenerateDataKey and kms:Decrypt on the bucket's AWS KMS key.

5.    If these permissions are missing, then add the permissions to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).

6.    In the JSON policy documents, look for statements with "Effect": "Deny". Then, confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey and kms:Decrypt actions on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies.

Did this article help?

Do you need billing or technical support?

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »