Issue
I have a problem where I can't understand why it works like that.
I have a CloudFormation template, which give the following access rights:
- Effect: Allow
Action:
- ec2:RunInstances
- ec2:ModifyInstanceAttribute
Resource:
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':instance/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':key-pair/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':security-group/', Ref: DBSecurityGroup ]]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':volume/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':network-interface/**']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':subnet/', Ref: Subnet ]]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:' ,Ref: 'AWS::Region', ':',Ref: 'AWS::AccountId', ':placement-group/*']]
- 'Fn::Join': [ '', [ 'arn:aws:ec2:',Ref: 'AWS::Region', '::image/ami-**']]
to the machines.
The machines can call run-instances
using this role, everything works fine.
If I enable meta-data tags, like this:
InstanceEnableTagsMetadata:
Type: 'AWS::EC2::LaunchTemplate'
Properties:
LaunchTemplateData:
MetadataOptions:
InstanceMetadataTags: enabled
run-instance
calls stop working with insufficient privileges.
Error messages looks like this:
API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message: OTMSE3dUu3XO...
What could be the problem?
Solution
When I decode the encoded message, I get the following:
$ aws sts decode-authorization-message --encoded-message Uz9... \
| jq -r .DecodedMessage | jq .
# [here comes a big JSON with details]
We see in the decoding, that the failed action is launch-template
:
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "launch-template/lt-"
}
]
}
},
That means, launch-template
should be added to the list of allowed actions.
(thanks to @ZabielskiGabriel for the hint)
Answered By - Igor Chubin Answer Checked By - Senaida (WPSolving Volunteer)