Issue
I'm trying to use aws ec2 authorize-security-group-egress to have a script on the ec2 instance temporarily (I'll be pairing with revoke) open a port out to a particular IP. However, when I try to run the command it tells me the user isn't authorized to perform that command. The rest of the error message is encrypted, and unfortunately aws sts decode-authorization-message is also not authorized so I can't get any more information. I gather I need to go into the web console and give the user a particular IAM role but I haven't been able to find what role that is.
The error message is: An error occurred (UnauthorizedOperation) when calling the AuthorizeSecurityGroupIngress operation: You are not authorized to perform this operation. followed by five lines of junk that is the encrypted remainder of the message.
Solution
Generally, what is a good practice, when a script or program executes on an EC2 instance you give permissions to it through instance roles.
In your case, since you want to use AuthorizeSecurityGroupEgress, the instance role would need to have such permission.
An example of an inline policy in an instance role that you could use is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:AuthorizeSecurityGroupEgress",
"Resource": "*"
}
]
}
AWS SDK and CLI automatically will use the instance role, thus there are no actions required from you to make use of them.
Answered By - Marcin
