Menu
I am trying to create EC2 instance via ansible using IAM roles but I while launching new instance I get error
failed: [localhost] => (item= IAMRole-1) => {"failed": true, "item": " IAMRole-1"}
msg: Instance creation failed => UnauthorizedOperation: You are not authorized to perform
this operation. Encoded authorization failure message: Ckcjt2GD81D5dlF6XakTSDypnwrgeQb0k
ouRMKh3Ol1jue553EZ7OXPt6fk1Q1-4HM-tLNPCkiX7ZgJWXYGSjHg2xP1A9LR7KBiXYeCtFKEQIC
W9cot3KAKPVcNXkHLrhREMfiT5KYEtrsA2A-xFCdvqwM2hNTNf7Y6VGe0Z48EDIyO5p5DxdNFsaSChUcb
iRUhSyRXIGWr_ZKkGM9GoyoVWCBk3Ni2Td7zkZ1EfAIeRJobiOnYXKE6Q
whereas iam role has full ec2 access, with following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
}
]
}
Any suggestions please.
344
So if you are using Ansible to launch an EC2 instance you can set this up with CI/CD, dynamic creation on the instance. There are many use cases you can implement using Ansible. So let's get started.
To attach an IAM role to an instanceOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select the instance, choose Actions, Security, Modify IAM role. Select the IAM role to attach to your instance, and choose Save.
The "UnauthorizedOperation" error indicates that permissions attached to the AWS Identity and Access Management (IAM) role or user trying to perform the operation doesn't have the required permissions to launch EC2 instances.
The problem here is not with the IAM Role for Amazon EC2 itself, rather that you (i.e. the AWS credentials you are using yourself) seem to lack the iam:PassRole permission that is required to 'pass' that role to a requested EC2 instance on start, see section Permissions Required for Using Roles with Amazon EC2 within Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources for details:
To launch an instance with a role, the developer must have permission to launch Amazon EC2 instances and permission to pass IAM roles.
The following sample policy allows users to use the AWS Management Console to launch an instance with a role. The policy allows a user to pass any role and to perform all Amazon EC2 actions by specifying an asterisk (*). The ListInstanceProfiles action allows users to view all the roles that are available on the AWS account.
Example Policy that grants a user permission to launch an instance with any role by using the Amazon EC2 console
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:PassRole", "iam:ListInstanceProfiles", "ec2:*" ], "Resource": "*" }] }
The reason for requiring this indirection via the PassRole permission is the ability to restrict which role a user can pass to an Amazon EC2 instance when the user is launching the instance:
This helps prevent the user from running applications that have more permissions than the user has been granted—that is, from being able to obtain elevated privileges. For example, imagine that user Alice has permissions only to launch Amazon EC2 instances and to work with Amazon S3 buckets, but the role she passes to an Amazon EC2 instance has permissions to work with IAM and DynamoDB. In that case, Alice might be able to launch the instance, log into it, get temporary security credentials, and then perform IAM or DynamoDB actions that she's not authorized for.
You might want to read my answer to How to specify an IAM role for an Amazon EC2 instance being launched via the AWS CLI? for a more elaborate explanation, which also links to Mike Pope's nice article about Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission), which explains the subject matter from an AWS point of view.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
