By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I resolve the "Did not have IAM permissions to process tags on AWS::EC2::Instance resource" error when I create an AWS::EC2::Instance resource in CloudFormation?

3 minute read
0

I receive the "Did not have IAM permissions to process tags on AWS::EC2::Instance resource" error when I try to create an AWS::EC2::Instance resource in AWS CloudFormation.

Short description

You receive this error when you create an AWS::EC2::Instance resource and both the following are true:

  • You specify a value for the Tags property in your CloudFormation template.
  • The AWS Identity and Access Management (IAM) user, IAM role, or CloudFormation service role doesn't have the required ec2:CreateTags permissions.

This error occurs because the custom tags that use the Tags property aren't applied to the Amazon Elastic Compute Cloud (Amazon EC2) instance. The error appears even though the resource is marked CREATE_COMPLETE.

Resolution

Troubleshoot the error

To resolve the error, complete the following steps:

  1. Confirm that the IAM user, role, or CloudFormation service role that creates the CloudFormation stack has permissions to perform ec2:CreateTags and ec2:DeleteTags on your EC2 instances.

  2. Use the CloudFormation console or AWS CLI to comment out the Tags property of the AWS::EC2::Instance resource in your affected CloudFormation template. Then, update your stack.

    Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

    Use the CloudFormation console

    In your CloudFormation template, comment out the Tags property, and then update your stack. For example:

    Resources:
      MyEC2Instance: 
        Type: AWS::EC2::Instance
        Properties: 
    #      Tags: 
    #      - Key: key1
    #        Value: value1
    #      - Key: key2
    #        Value: value2

    Use AWS CLI

    Run the update-stack command:

    aws cloudformation update-stack --region YOUR_REGION --template-body file://YOUR_TEMPLATE_FILE_TAGS_COMMENTED —stack-name YOUR_STACK_NAME

    Note: Replace YOUR_REGION, YOUR_TEMPLATE_FILE_TAGS_COMMENTED, and YOUR_STACK_NAME with your values.

  3. Use the CloudFormation console or AWS CLI to uncomment the Tags property of the AWS::EC2::Instance resource in your affected CloudFormation template. Then, update your stack again.

    Use the CloudFormation console

    In your CloudFormation template, remove the comments from the Tags property, and then update your stack. For example:

    Resources:
      MyEC2Instance: 
        Type: AWS::EC2::Instance
        Properties: 
          Tags: 
          - Key: key1
            Value: value1
          - Key: key2
            Value: value2

    Use AWS CLI

    Run the update-stack command:

    aws cloudformation update-stack --region YOUR_REGION --template-body file://YOUR_TEMPLATE_FILE_TAGS_UNCOMMENTED —stack-name YOUR_STACK_NAM

    Note: Replace YOUR_REGION, YOUR_TEMPLATE_FILE_TAGS_UNCOMMENTED, and YOUR_STACK_NAME with your values.

Check if your tags are correctly applied to the EC2 instance

Use the EC2 console or AWS CLI to check if your tags are correctly applied to your Amazon Elastic Compute Cloud (Amazon EC2) instances.

Use the Amazon EC2 console

Complete the following steps:

  1. Open the Amazon EC2 console.
  2. From the Instances section of the navigation pane, choose Instances.
  3. Select the instance that was created through CloudFormation.
  4. Choose the Tags tab, and then check if the custom tags specified in your CloudFormation template are populated in the table.

Use AWS CLI

Run the describe-tags command:

aws ec2 describe-tags —filters "Name=resource-id,Values=YOUR_INSTANCE_ID"

Note: Replace YOUR_INSTANCE_ID with the instance ID of the EC2 instance from your stack.

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago