Unauthorized operation error occurs when using Boto3 to launch an EC2 instance with an IAM role

Question

I've read this question How do I use Boto3 to launch an EC2 instance with an IAM role? and try to launch an instance with IAM role in python script. Here's the code:

instance = ec2.create_instances(
    ImageId='ami-1a7f6d7e',
    KeyName='MyKeyPair',
    MinCount=1,
    MaxCount=1,
    SecurityGroups=['launch-wizard-3'],
    InstanceType='t2.micro',
    IamInstanceProfile={
        'Arn': 'arn:aws:iam::627714603946:instance-profile/SSMforCC'}
)

However, I got this error after running the script botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. I found this question how do I launch ec2-instance with iam-role? provides an solution for Ruby to solve the problem. Can anybody tell me if there's a way to solve this problem in python Boto3?

Answer 1

You do not have sufficient privileges (iam::PassRole) to attach an IAM role to an instance. So attach a policy that grants you the privilege. You can attach a policy to a user only if you are an IAM admin or have sufficient privileges to attach a policy to an user.

• First create_policy with the policy document that allows PassRole. See: How to give ec2 instance access to s3 using boto3
• Next attach_user_policy to the user

Answer 2

I would check - 1. If you are authenticating to AWS correctly or not - you can specify the access and secret keys explicitly in the clients.

client = boto3.client(
    'ec2',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
)

2. If the user has ec2:runInstances IAM permission on the resource you are trying to create.