How do I troubleshoot Amazon EC2 Auto Scaling launch template "not authorized" errors?

2 minute read
0

I tried to use a launch template for an Amazon EC2 Auto Scaling group and received the error "You are not authorized".

Resolution

You receive the "You are not authorized" error because you don't have the correct AWS Identity and Access Management (IAM) permissions to launch EC2 Auto Scaling groups. To resolve this issue, add the following permissions to your IAM policy.

IAM credentials

Make sure that your IAM entity has permission to use the RunInstances API action. Also, if you use tags in your launch template, then make sure that you have permission to use the CreateTags API action.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "Ec2:RunInstances",
                "Ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

To provide full access to all Amazon Elastic Compute Cloud (Amazon EC2) resources and related services, you can use the AmazonEC2FullAccess AWS managed policy. 

Instance profiles

To launch a template that specifies an instance profile, make sure that the policy has the PassRole permission.

Example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:Passrole"
            ],
            "Resource": [
                "arn:aws:iam::11111111111:role/InstanceProfileRole"
            ]
        }
    ]
}

Note: You can use the PassRole permission only to pass an IAM role to a service that shares the same AWS account. 

AMI's in another account

To launch a template that specifies an Amazon Machine Image (AMI) in another AWS account, the account must have access to the AMI.

To verify permissions to the AMI, complete the following steps:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, choose AMIs.
  3. For AMI name, select your AMI, and then choose the Permissions tab.
  4. For Permissions, verify that the account is listed for the AMI.
  5. If the account doesn't have permission to the AMI, then share the AMI with the account.

Related Information

IAM role for applications that run on Amazon EC2 instances