Hi,
I have an EC2 instance running to which currently no IAM Instance Profile role is attached to it. I got one instance role created to which I'm trying to attach it to my existing EC2 instance. I can list and select that role in the dropdown option however when I submit the button for 'Update IAM role' then I get this error as shown in the screenshot:-
Failed to attach instance profile
You are not authorized to perform this operation. Encoded authorization failure message: 0v498g_npaKBtWgAS6pJbH.....................
Inline policy attached to the user performing this action:-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:PassRole",
"iam:*"
],
"Resource": "*"
},
{
"Sid": "ListEc2AndListInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:ListInstanceProfiles",
"ec2:Describe*",
"ec2:Search*",
"ec2:Get*"
],
"Resource": "*"
}
]
}
Thanks for the reply. Decode the error message with the following command. Can you share the error message after decoding?
Not working, this is the inline policy attached to the user doing this action:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PassRole", "iam:" ], "Resource": "" }, { "Sid": "ListEc2AndListInstanceProfiles", "Effect": "Allow", "Action": [ "iam:ListInstanceProfiles", "ec2:Describe*", "ec2:Search*", "ec2:Get*" ], "Resource": "*" } ] }
decoded error message:- "DecodedMessage":"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"AIDAWVO7QCYB3TM","name":"developer","arn":"arn:aws:iam::9387594693756:user/developer"},"action":"ec2:ReplaceIamInstanceProfileAssociation","resource":"arn:aws:ec2:us-east-1:9387594693756:instance/i-0062c02384dd31df1","conditions":{"items":[{"key":"ec2:InstanceAutoRecovery","values":{"items":[{"value":"default"}]}},{"key":"ec2:MetadataHttpPutResponseHopLimit","values":{"items":[{"value":"2"}]}},{"key":"ec2:InstanceMarketType","
Thank you for sharing your message. From the message, it seems that the "ec2:ReplaceIamInstanceProfileAssociation" is missing from the user's policy. So, please add "ec2:ReplaceIamInstanceProfileAssociation".