Search code examples
amazon-web-servicesamazon-ec2policy

AWS limiting policy permissions for EC2 create

What is then most limited iam policy I can give a user to still allow them to create an EC2? They the policy doesn't need anything else, I've messed with it on and off for a day and cannot get the right combination?

Solution

  • The minimum permissions to launch an Amazon EC2 instance via the AWS Command-Line Interface (CLI) is simply RunInstances:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RunInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        }
    ]
}

    Using that policy, I launched an instance with this AWS CLI command:

    aws ec2 run-instances --image-id ami-xxx --key-name my-key --security-group-id sg-xxx --instance-type t2.nano

    How to debug permission errors

    If you add any other parameters, then the command might fail.

    For example, I added this parameter:

    --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=Temp}]'

    This failed with:

    An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. Encoded authorization failure message: xxx

    I then decrypted the encoded failure message (using an Admin IAM user) using:

    aws sts decode-authorization-message --encoded-message xxx

    This returned:

    {
    "allowed": false,
    "explicitDeny": false,
    "matchedStatements": {
        "items": []
    },
    "failures": {
        "items": []
    },
    "context": {
        "principal": {
            "id": "AIDAxxx",
            "name": "my-user",
            "arn": "arn:aws:iam::123456789012:user/my-user"
        },
        "action": "ec2:CreateTags",
        "resource": "arn:aws:ec2:ap-southeast-2:123456789012:instance/*",
        "conditions": {
            "items": [
                {
                    "key": "aws:Resource",
                    "values": {
                        "items": [
                            {
                                "value": "instance/*"
                            }
                        ]
                    }
                },
                ...
            ]
        }
    }
}

    Clearly the problem was with ec2:CreateTags because my command requested tags to be added to the instance. Therefore, I'd either need to add those permissions, or remove the tag parameter from the RunInstances command.

    Trivia

    Have you ever wondered why the command is called RunInstances rather than LaunchInstances or CreateInstances?

    (I think) it is because in the early days of Amazon EC2, there was only Instance Storage (no Amazon Elastic Block Storage (EBS)). Therefore, it was not possible to Stop an instance, since this would lose the disk contents and the instance could not be Started again. Thus, the commands were RunInstances and TerminateInstances.

    These days, we can StartInstances and StopInstances. However, the old terminology of RunInstances remains, which is always a bit confusing for new users since it is not obvious whether it means launch or start.