Getting error while modifying the EC2 Instance Profile role on management console
0
Hi,
I have an EC2 instance running to which currently no IAM Instance Profile role is attached to it. I got one instance role created to which I'm trying to attach it to my existing EC2 instance. I can list and select that role in the dropdown option however when I submit the button for 'Update IAM role' then I get this error as shown in the screenshot:-
Failed to attach instance profile
You are not authorized to perform this operation. Encoded authorization failure message: 0v498g_npaKBtWgAS6pJbH.....................
Inline policy attached to the user performing this action:-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:*"
],
"Resource": "*"
},
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
]
}
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
2
Hello.
Do you have your IAM user policy set to allow "iam:PassRole"?
Failure to do so will result in an error when setting up the IAM role on EC2.
Specifically, make sure the following policy settings are in place.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor 4 Monaten
- AWS OFFICIALAktualisiert vor 3 Jahren
Thanks for the reply. Decode the error message with the following command. Can you share the error message after decoding?
Not working, this is the inline policy attached to the user doing this action:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PassRole", "iam:" ], "Resource": "" }, { "Sid": "ListEc2AndListInstanceProfiles", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "ec2:Describe*", "ec2:Search*", "ec2:Get*" ], "Resource": "*" } ] }
decoded error message:- "DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDAWVO7QCYB3TM","name":"developer","arn":"arn:aws:iam::9387594693756:user/developer"},"action":"ec2:ReplaceIamInstanceProfileAssociation","resource":"arn:aws:ec2:us-east-1:9387594693756:instance/i-0062c02384dd31df1","conditions":{"items":[{"key":"ec2:InstanceAutoRecovery","values":{"items":[{"value":"default"}]}},{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","
Thank you for sharing your message. From the message, it seems that the "ec2:ReplaceIamInstanceProfileAssociation" is missing from the user's policy. So, please add "ec2:ReplaceIamInstanceProfileAssociation".