CODEWITHSUNDEEP
amazon-web-servicesamazon-ec2amazon-iam
Misko
Misko

Reputation: 1596

AWS EC2: IAM policy for ec2:RequestSpotInstances

I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [
                "arn:aws:ec2:us-east-1:123456789012:image/ami-*",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
                "arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
                "arn:aws:ec2:us-east-1:123456789012:key-pair/*",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
                "arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
            ]
        }
    ]
}

But my spot request creation still fails:

botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.

What is the minimum subset of permissions for RequestSpotInstances action?

Is there some possibility to debug this?

Upvotes: 1

Views: 1723

Answers (2)

Allen K
Allen K

Reputation: 31

I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1479335761363",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "iam:PassRole"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }]

}

Upvotes: 3

jmac1701
jmac1701

Reputation: 1

According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:RequestSpotInstances",
            "Resource": [ "*" ]
        }
    ]
}

As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.

Upvotes: 0

Related Questions