Did not have IAM permissions to process tags on AWS::EC2::Instance resource

0

Hi Everyone,

I am using Attribute Based Access Control (ABAC) to delegate permissions to Users to create CloudFormation and EC2 instances from CF template.

I am getting 'Did not have IAM permissions to process tags on AWS::EC2::Instance resource.' and 'API: ec2:RunInstances You are not authorized to perform this operation. Encoded authorization failure message' errors while trying to create CF Stack. All corresponding 'access-team' and 'access-project' tags are provided in the CloudFormation Template. The CF Template and corresponding ABAC IAM Policy are attached.

However, I am able to create exact EC2 Instance manually without any issue via AWS EC2 Console case I am supplying corresponding 'access-team' and 'access-project' Tags during EC2 Instance creation.

Could someone help me to narrow down the root of that issue and what exactly I should change in IAM Policy to deploy CF Stack ?

TIA

Edited by: innos on Feb 19, 2021 6:19 AM

Edited by: innos on Feb 24, 2021 7:56 AM

innos
已提問 3 年前檢視次數 2202 次
1 個回答
2

Hi Guys,

My request has been resolved by AWS Support with following issue description :

==================================================
From the public docs, "When you create an EC2 instance with AWS CloudFormation using the resource AWS::EC2::Instance, AWS CloudFormation makes two API calls: RunInstances and CreateTags. RunInstances creates the instance and CreateTags applies the necessary tags after the instance is created. The RunInstances request made by AWS CloudFormation doesn't support the tags, but the API does support the tags." Please refer to [1] for more information on the same.

So, the workaround for this issue is using "AWS::EC2::LaunchTemplate" resource for EC2 Instance and specify the required Tags on the Volume using "TagSpecification" property in "AWS::EC2::LaunchTemplate" resource. Please refer [2][3] for more information.

We can specify the required Tags for the resources as below.

Instance:  
    Type: 'AWS::EC2::Instance'  
    Properties:  
      LaunchTemplate:  
        LaunchTemplateId: !Ref RequiredTagsLaunchTemplate  
        Version: 1  
      InstanceType: r4.xlarge  
      .  
      .  
  RequiredTagsLaunchTemplate:  
    Type: 'AWS::EC2::LaunchTemplate'  
    Properties:  
      LaunchTemplateData:  
        TagSpecifications:  
          - ResourceType: Volume  
            Tags:  
              - Key: Env  
                Value: Dev  

References:
[1] https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-ec2-iam-runinstances/
[2] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-launchtemplate.html
[3] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-launchtemplate-tagspecification.html

I hope this information will be useful for somebody.

Alex

innos
已回答 3 年前
  • Thank you for your very informative answer!

    I included Launch Template Resource to resolve the issue but am still getting the same error. I tried launching the stack with AWS ClI, hoping that I would get a more descriptive output, but no luck. Any idea how to address that?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南