Menu
I can launch ec2-instance with iam-role in management console. But I have no idea how to launch ec2-instance with iam-role from aws-ruby-sdk
iam-role " test"'s Policy is here
"Effect": "Allow",
"Action": "*",
"Resource": "*"
Here is the result:
/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise':
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test
(AWS::EC2::Errors::UnauthorizedOperation)
528
If an IAM user wants to launch an EC2 instance, you need to grant the EC2 RunInstances permission to that user.
Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
Note that only one role can be assigned to an Amazon EC2 instance at a time, and all applications on the instance share the same role and permissions.
The credentials you are using from your Ruby script do not have permission to launch an instance using the 'test' IAM Role. You need to modify the policy for this user, and grant it the IAM:PassRole permission, e.g.:
{
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
}]
}
This is a security feature - it is possible to misconfigure IAM to allow privilege escalations, so AWS uses a "secure by default" policy.
You could also use this policy to allow your users to launch instances using any IAM role - but you should consider the security implications before doing this:
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
}]
Ref: http://docs.amazonwebservices.com/IAM/latest/UserGuide/role-usecase-ec2app.html
172
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
