Unable to attach the Instance Profile Role to EC2
Hi,
I'm getting this error while trying to attach an instance profile role under EC2 -> Security -> modify IAM Role:-
Failed to describe Instance Profiles
Failed to describe Instance Profiles. User: arn:aws:sts::336247864862:assumed-role/test/vkshs is not authorized to perform: iam:ListInstanceProfiles on resource: arn:aws:iam::336247864862:instance-profile/ because no identity-based policy allows the iam:ListInstanceProfiles action.
It seems like policy issue attached to my identity. Kindly suggest me its root cause and what policy is required here to fix it.
Regards, Vinod Kumar
- 최신
- 최다 투표
- 가장 많은 댓글
<<Remove your account id from the question error message at earliest.>>
You need to add following permission to your user/role for resource "instance profile name" through which you are logging to. this account:
Action:
iam:ListInstanceProfiles
Policy to list EC2 and InstanceProfile would look like as below:
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
Once you add this to your role, you should be able to list instance profile.
Important point to note here is, AmazonEC2FullAccess managed policy doesn't have this permission however IAMReadOnlyAccess policy provides this access to all profiles, you may consider adding this policy too.
Hope you find this useful.
Abhishek.
Thanks, your solution worked however when I select this role and submit the button for 'Update IAM role' then I get this following error as well:-
Failed to attach instance profile You are not authorized to perform this operation. Encoded authorization failure message: 0v498g_npaKBtWgAS6pJbH.......................
There are two things here, that you need to do:
aws sts decode-authorization-message --encoded-message "encode failure message" -> This will give you the details of the failure.
Please follow this re:Post Knowledge center article, Attach or replace instance profile also see if you have iam:PassRole permissions already as I have see that to be an issue as well.