Zach Moshe
Reputation: 2980
Required IAM permissions for ec2.requestSpotInstances?
I'm trying to set permissions on an IAM role that will submit a new spot instance request if needed. It will be used by a Lambda function.
The code does the following AWS API calls:
- ec2.describeSpotInstanceRequests
- ec2.requestSpotInstances
- ec2.createTags
And I created for it the following policy (after trying a lot of other options...):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1437749945000",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:CreateTags",
"iam:List*"
],
"Resource": [
"*"
]
}
]
}
If I add iam:* it works, but obviously I don't want to do that..
Can anyone help me guessing what permission it really needs? Does anyone know of a map between AWS API calls and all required permissions?
Upvotes: 1
Views: 1065
Answers (1)
Frederick Cheung
Reputation: 84132
When starting an instance that has an IAM role specified, you need the iam:PassRole permission.
The resource should be the arn for the role, usually of the form arn:aws:iam::012345678912:role/role_name.
Upvotes: 1
Related Questions
- IAM permission for EC2 Data Lifecycle Manager is not working
- which IAM Permission do I need to grant to READ running instances in region page?
- AWS IAM is failing with missing permissions that are unrecognized by AWS
- IAM role fails to give permission to an EC2 instance
- AWS EC2: IAM policy for ec2:RequestSpotInstances
- What are the required AWS IAM policy permissions to provision EC2 Instances from the CLI?
- Why is AWS denying permission when IAM is set to allow all?
- AccessDenied for EC2 Instance with attached IAM Role
- What permissions should I grant an IAM so that it may create instances and manage them?
- AWS IAM User Permission for a specific EC2 server not working