Reputation: 61
how do I launch ec2-instance with iam-role?
I can launch ec2-instance with iam-role in management console. But I have no idea how to launch ec2-instance with iam-role from aws-ruby-sdk
iam-role " test"'s Policy is here
"Effect": "Allow",
"Action": "*",
"Resource": "*"
Here is the result:
/var/lib/gems/1.8/gems/aws-sdk-1.7.1/lib/aws/core/client.rb:318:in `return_or_raise':
You are not authorized to perform iam:PassRole with arn:aws:iam::xxxxxxxxxxx:role/test
(AWS::EC2::Errors::UnauthorizedOperation)
Upvotes: 6
Views: 6724
Answers (1)
Reputation: 1438
The credentials you are using from your Ruby script do not have permission to launch an instance using the 'test' IAM Role. You need to modify the policy for this user, and grant it the IAM:PassRole permission, e.g.:
{
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::xxxxxxxxxxx:role/test"
}]
}
This is a security feature - it is possible to misconfigure IAM to allow privilege escalations, so AWS uses a "secure by default" policy.
You could also use this policy to allow your users to launch instances using any IAM role - but you should consider the security implications before doing this:
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
}]
Ref: http://docs.amazonwebservices.com/IAM/latest/UserGuide/role-usecase-ec2app.html
Upvotes: 9
Related Questions
- Amazon EC2 instances multiple IAM roles
- AWS IAM role does not exist or is not attachable
- Launch EC2 Instance using IAM Role on Multiple AWS accounts
- How to add an IAM role to an existing instance in AWS?
- IAM role fails to give permission to an EC2 instance
- aws ec2 describe-instances IAM role does not work
- How to apply IAM Role to EC2 instance?
- AWS Assume role with EC2 instance IAM role not working
- How can we apply IAM Roles to an ec2 instance?
- How can I create IAM Roles for Amazon EC2?