Verify Permissions and Fix Common IAM Issues
Overview
CloudAIPilot is designed to be an autonomous control plane. However, if the cloud credentials you provide lack the necessary permissions, the AI Pilot will be physically blocked from executing your commands. This article covers how to diagnose and fix common IAM/RBAC issues.
Understanding the "Permission Denied" State
Because CloudAIPilot relies on asynchronous background operations, permission errors don't crash your browser. Instead:
- The AI Pilot proposes an action via an Approval Card.
- You click Approve.
- The background task begins. If the cloud provider rejects the API call (e.g.,
403 Forbidden), the Activity Center will mark the task as Failed. - The associated log will explicitly state which permission was missing (e.g.,
Missing iam:PassRole).
Common Provider Issues
AWS
- Missing External ID: If using Cross-Account Roles, ensure the exact External ID shown in your CloudAIPilot dashboard matches the one in your AWS Trust Policy.
- Missing FinOps Access: To use the autonomous cost intelligence engine, ensure the
ce:GetCostAndUsagepermission is attached to the role.
GCP
- API Not Enabled: Even if the Service Account has
Compute Adminrights, GCP requires you to explicitly enable the Compute Engine API in your project dashboard. - Service Account Disabled: Ensure the service account hasn't been flagged or paused by your organization's internal security policies.
Azure
- Subscription Mismatch: Ensure the Service Principal is assigned the
Contributorrole at the Subscription level, not just inside a specific Resource Group.
The AI Diagnostic Tool
If a server fails to provision, you do not need to guess why. You can ask the AI Pilot directly: *"Why did my AWS server provisioning fail?"* The AI will read the Activity Center logs, identify the exact missing IAM permission, and generate a JSON snippet you can paste into your cloud console to fix it.