<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk Add-on for AWS in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756900#M120064</link>
    <description>&lt;P&gt;Thanks for the input livehybrid.&lt;/P&gt;&lt;P&gt;I guess I am still not following the way it is supposed to work.&lt;/P&gt;&lt;P&gt;For me, I have a user SplunkUser that has a trust relationship with SplunkRole. The user SplunkUser is given permissions to "sts:AssumeRole"&lt;/P&gt;&lt;P&gt;After the SplunkUser assumes the SplunkRole - the Role has permissions to list queues but yes, the error implies that the SplunkUser is attempting to list queues, not the Role.&lt;/P&gt;&lt;P&gt;Any further guidance would be welcomed.&lt;/P&gt;&lt;P&gt;Thanks!&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Fri, 02 Jan 2026 14:29:55 GMT</pubDate>
    <dc:creator>drggfish1</dc:creator>
    <dc:date>2026-01-02T14:29:55Z</dc:date>
    <item>
      <title>Splunk Add-on for AWS</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756881#M120056</link>
      <description>&lt;P&gt;I am trying to configure the&amp;nbsp;Splunk Add-on for AWS for brining in CloudTrail logs via SQS S3. I have the following User, Role, and Permissions set up in AWS:&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;SplunkUser&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;I have the following permissions defined:&lt;/P&gt;&lt;P&gt;{&lt;BR /&gt;"Version": "2012-10-17",&lt;BR /&gt;"Statement": [&lt;BR /&gt;{&lt;BR /&gt;"Sid": "Statement1",&lt;BR /&gt;"Effect": "Allow",&lt;BR /&gt;"Action": "sts:AssumeRole",&lt;BR /&gt;"Resource": "arn:aws:iam::MYACCOUNTNUMBER:role/SplunkRole"&lt;BR /&gt;}&lt;BR /&gt;]&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;I have the following SplunkRole defined:&lt;/P&gt;&lt;P&gt;Trust Relationship&lt;/P&gt;&lt;P&gt;{&lt;BR /&gt;"Version": "2012-10-17",&lt;BR /&gt;"Statement": [&lt;BR /&gt;{&lt;BR /&gt;"Effect": "Allow",&lt;BR /&gt;"Principal": {&lt;BR /&gt;"AWS": "arn:aws:iam::MYACCOUNTNUMBER:user/SplunkUser"&lt;BR /&gt;},&lt;BR /&gt;"Action": "sts:AssumeRole",&lt;BR /&gt;"Condition": {}&lt;BR /&gt;}&lt;BR /&gt;]&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;I have the following permissions attached to the Splunk Role and from a previously created "SplunkSQSPolicy"&lt;/P&gt;&lt;P&gt;{&lt;BR /&gt;"Version": "2012-10-17",&lt;BR /&gt;"Statement": [&lt;BR /&gt;{&lt;BR /&gt;"Effect": "Allow",&lt;BR /&gt;"Action": [&lt;BR /&gt;"sqs:GetQueueAttributes",&lt;BR /&gt;"sqs:ListQueues",&lt;BR /&gt;"sqs:ReceiveMessage",&lt;BR /&gt;"sqs:GetQueueUrl",&lt;BR /&gt;"sqs:SendMessage",&lt;BR /&gt;"sqs:DeleteMessage",&lt;BR /&gt;"s3:ListBucket",&lt;BR /&gt;"s3:GetObject",&lt;BR /&gt;"s3:GetObjectVersion",&lt;BR /&gt;"s3:GetBucketLocation",&lt;BR /&gt;"s3:ListAllMyBuckets",&lt;BR /&gt;"s3:GetBucketTagging",&lt;BR /&gt;"s3:GetAccelerateConfiguration",&lt;BR /&gt;"s3:GetBucketLogging",&lt;BR /&gt;"s3:GetLifecycleConfiguration",&lt;BR /&gt;"s3:GetBucketCORS",&lt;BR /&gt;"kms:Decrypt"&lt;BR /&gt;],&lt;BR /&gt;"Resource": [&lt;BR /&gt;"*"&lt;BR /&gt;]&lt;BR /&gt;}&lt;BR /&gt;]&lt;BR /&gt;}&lt;/P&gt;&lt;P&gt;I keep getting the following ERROR:&lt;/P&gt;&lt;P&gt;An error occurred (AccessDenied) when calling the ListQueues operation: User: arn:aws:iam::MYACCOUNTNUMBER:user/SplunkUser is not authorized to perform: sqs:listqueues on resource: arn:aws:sqs:us-east-1:MYACCOUNTNUMBER: because no identity-based policy allows the sqs:listqueues action&lt;/P&gt;&lt;P&gt;I am not sure why this is failing, I have the&amp;nbsp;sqs:listqueues API call listed in the Permission Policy.&lt;/P&gt;&lt;P&gt;Please advise,&lt;/P&gt;&lt;P&gt;Thanks!&lt;/P&gt;</description>
      <pubDate>Thu, 01 Jan 2026 14:50:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756881#M120056</guid>
      <dc:creator>drggfish1</dc:creator>
      <dc:date>2026-01-01T14:50:06Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Add-on for AWS</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756894#M120063</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/314848"&gt;@drggfish1&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;It looks like your configuration hasn’t picked up the role assumption as it says that '&lt;SPAN&gt;arn:aws:iam::MYACCOUNTNUMBER:user/SplunkUser' cannot list the queues when it should actually be the role you have assumed which is listing the queues.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;Please can you confirm that you have added the Assume role and selected it for the input? See&amp;nbsp;&lt;A href="https://splunk.github.io/splunk-add-on-for-amazon-web-services/ManageAwsIAMRole/" target="_blank"&gt;https://splunk.github.io/splunk-add-on-for-amazon-web-services/ManageAwsIAMRole/&lt;/A&gt;&amp;nbsp;for more details.&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;span class="lia-unicode-emoji" title=":glowing_star:"&gt;🌟&lt;/span&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;STRONG&gt;Did this answer help you?&lt;/STRONG&gt;&lt;SPAN&gt;&amp;nbsp;&lt;/SPAN&gt;If so, please consider:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Adding karma to show it was useful&lt;/LI&gt;&lt;LI&gt;Marking it as the solution if it resolved your issue&lt;/LI&gt;&lt;LI&gt;Commenting if you need any clarification&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Your feedback encourages the volunteers in this community to continue contributing&lt;/P&gt;</description>
      <pubDate>Fri, 02 Jan 2026 13:36:19 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756894#M120063</guid>
      <dc:creator>livehybrid</dc:creator>
      <dc:date>2026-01-02T13:36:19Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Add-on for AWS</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756900#M120064</link>
      <description>&lt;P&gt;Thanks for the input livehybrid.&lt;/P&gt;&lt;P&gt;I guess I am still not following the way it is supposed to work.&lt;/P&gt;&lt;P&gt;For me, I have a user SplunkUser that has a trust relationship with SplunkRole. The user SplunkUser is given permissions to "sts:AssumeRole"&lt;/P&gt;&lt;P&gt;After the SplunkUser assumes the SplunkRole - the Role has permissions to list queues but yes, the error implies that the SplunkUser is attempting to list queues, not the Role.&lt;/P&gt;&lt;P&gt;Any further guidance would be welcomed.&lt;/P&gt;&lt;P&gt;Thanks!&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Fri, 02 Jan 2026 14:29:55 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756900#M120064</guid>
      <dc:creator>drggfish1</dc:creator>
      <dc:date>2026-01-02T14:29:55Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk Add-on for AWS</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756901#M120065</link>
      <description>&lt;P&gt;Update - I just added my Role Arn to the configuration for the Splunk Add on for AWS in Splunk.&amp;nbsp; So in addition to the account information I added the Assume Role information.&lt;/P&gt;&lt;P&gt;It now works. I am assuming this is the way it is supposed to work.&lt;/P&gt;&lt;P&gt;Thoughts?&lt;/P&gt;</description>
      <pubDate>Fri, 02 Jan 2026 14:35:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-Add-on-for-AWS/m-p/756901#M120065</guid>
      <dc:creator>drggfish1</dc:creator>
      <dc:date>2026-01-02T14:35:57Z</dc:date>
    </item>
  </channel>
</rss>

