1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
2
Hello.
Do you have your IAM user policy set to allow "iam:PassRole"?
Failure to do so will result in an error when setting up the IAM role on EC2.
Specifically, make sure the following policy settings are in place.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 2 años
Thanks for the reply. Decode the error message with the following command. Can you share the error message after decoding?
Not working, this is the inline policy attached to the user doing this action:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PassRole", "iam:" ], "Resource": "" }, { "Sid": "ListEc2AndListInstanceProfiles", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "ec2:Describe*", "ec2:Search*", "ec2:Get*" ], "Resource": "*" } ] }
decoded error message:- "DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDAWVO7QCYB3TM","name":"developer","arn":"arn:aws:iam::9387594693756:user/developer"},"action":"ec2:ReplaceIamInstanceProfileAssociation","resource":"arn:aws:ec2:us-east-1:9387594693756:instance/i-0062c02384dd31df1","conditions":{"items":[{"key":"ec2:InstanceAutoRecovery","values":{"items":[{"value":"default"}]}},{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","
Thank you for sharing your message. From the message, it seems that the "ec2:ReplaceIamInstanceProfileAssociation" is missing from the user's policy. So, please add "ec2:ReplaceIamInstanceProfileAssociation".