Getting error while modifying the EC2 Instance Profile role on management console
0
Hi,
I have an EC2 instance running to which currently no IAM Instance Profile role is attached to it. I got one instance role created to which I'm trying to attach it to my existing EC2 instance. I can list and select that role in the dropdown option however when I submit the button for 'Update IAM role' then I get this error as shown in the screenshot:-
Failed to attach instance profile
You are not authorized to perform this operation. Encoded authorization failure message: 0v498g_npaKBtWgAS6pJbH.....................
Inline policy attached to the user performing this action:-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:*"
],
"Resource": "*"
},
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
]
}
1 Answer
- Newest
- Most votes
- Most comments
2
Hello.
Do you have your IAM user policy set to allow "iam:PassRole"?
Failure to do so will result in an error when setting up the IAM role on EC2.
Specifically, make sure the following policy settings are in place.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
Relevant content
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Thanks for the reply. Decode the error message with the following command. Can you share the error message after decoding?
Not working, this is the inline policy attached to the user doing this action:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PassRole", "iam:" ], "Resource": "" }, { "Sid": "ListEc2AndListInstanceProfiles", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "ec2:Describe*", "ec2:Search*", "ec2:Get*" ], "Resource": "*" } ] }
decoded error message:- "DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDAWVO7QCYB3TM","name":"developer","arn":"arn:aws:iam::9387594693756:user/developer"},"action":"ec2:ReplaceIamInstanceProfileAssociation","resource":"arn:aws:ec2:us-east-1:9387594693756:instance/i-0062c02384dd31df1","conditions":{"items":[{"key":"ec2:InstanceAutoRecovery","values":{"items":[{"value":"default"}]}},{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","
Thank you for sharing your message. From the message, it seems that the "ec2:ReplaceIamInstanceProfileAssociation" is missing from the user's policy. So, please add "ec2:ReplaceIamInstanceProfileAssociation".