Unable to assume role for g4ad instance type driver download

Hello,

According to your question, I think you are curious about several things as below.

• If there is any trouble with the installation of Driver on g4ad instance

• Questions about the Service Quota's influence on the permissions.

---

[1] Problem with Installation of Driver on g4ad instance

The reason for the failure to install the driver on the instance can be determined by 1) checking the presence or absence of the sts:AsumeRole, 2) checking the availability of driver installation on the g4ad instance, and 3) checking the connection (connection) of the instance.

If you can provide more detailed information such as error messages related to this problem, it will help me understand the cause.

• If the user cannot assume the IAM Role

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action":"sts:AssumeRole", 
            "Resource": "arn:aws:iam::<Account_ID>:role/<Role>" 
        } 
    ] 
}

Adding sts:AssumeRole in the policy, which is attached to the user, will let you use other IAM Role.

• Check that you can install the driver on g4ad instance

For g4ad instance, NVidia drivers are not supported, and only AMD driver can be installed.

You can refer to the types of instances that can be installed by driver in more detail in the document below.

[+] Linux accelerated computing instances (AWS Documentation)(ENG)

Additionally, you can also refer to the way to install AMD drivers on Linux instances in the document below.

[+] Install AMD drivers on Linux instances (AWS Documentation)(ENG)

• Check SSH / RDP connection

There is no IAM permissions to install drivers on instance, but you need to connect to the instance with SSH or RDP connection.

---

[2] Is Service Quota increase influenced on IAM Policy?

No, it is not related. I assume that you have increased vCPU(instance limit) to use g4ad instance type, but the increase doesn't have effect on any IAM permissions, or the resources' arn. The Service Quota increase only effects the amount of resources available.

If you want to check, you can check the instance's arn(name) and the policy attahced to the user(or the role).

---

[3] The Admin access permission

Implicit Deny and Explicit Allow is the basic principles of AWS IAM Policy. In other words, IAM basically denies everything, and you need to specify the resources/actions to be granted.

If you are using AWS-managed policy AdministratorAccess, you don't have to worry about the permission unless you have explicit deny in your user or role's policy. (you said that there is no explicit deny, so you can skip it)

If you are using your own policy, you need to check if you add s3:GetObject.

After aws configure on EC2 instance, you can download the file through the command below:

aws s3api get-object --bucket <bucket_name> --key <file_to_download> <output_file>

---

If I have missed anything or answered wrong, please feel free to ask me again. Also you have any questions, comment please!

Hello.

Is "AmazonS3ReadOnlyAccess" set in the EC2 IAM role?
If the IAM role does not have an IAM policy to download from S3, it cannot be accessed from EC2.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-amd-driver.html

Your user or role must have the permissions granted that contains the AmazonS3ReadOnlyAccess policy. For more information, see AWS managed policy: AmazonS3ReadOnlyAccess in the Amazon Simple Storage Service User Guide.