- 新しい順
- 投票が多い順
- コメントが多い順
IAM:PassRole is often one I see missed that leads to this error: https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html
You can also check cloudtrail for a RunInstances call made at the same time as the failed API, which might have more details on what permission was missing. If there's an encoded error, you'll need to use the sts decode API to see the reasons
The error "You are not authorized to use this template" when updating your Auto Scaling Group (ASG) with a launch template can be due to insufficient IAM permissions. To resolve this issue, you should ensure that the IAM credentials you are using have the necessary permissions to perform the required EC2 API actions, including the ec2:RunInstances action. Additionally, if your launch template specifies any tags, you must also have permission to use the ec2:CreateTags action
Check out this link: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/permissions-for-launch-templates.html
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
ok. Might be possible. However, just found that in my case it was restrictions imposed by my organization team that the base image cannot by a custom AMI. It has to be one of the standard AMIs.
I have verified from the shared link and the permissions are correct. As I mentioned, the new AMI was replaced with an exisitng AMI in Launch temaplate. And with old AMI in Launch template, I can edit the ASG and save. But with newly created AMI from this AMI(running as EC2), in Launch temaplate, I get error in editing ASG.
is the new ami encrypted with a KMS key that you do not have permission to use?
It is encrypted but I do have permissions for the key. Same key was used for previous AMI and that AMI works in Launch templates. So, KMS permissions also looks good.