Can't Create Launch Configuration Due to Invalid IamInstanceProfile

Question

Trying Create a Launch Configuration item, I get this error:

Launch Config problem: An error occurred (ValidationError) when calling the operation: Invalid IamInstanceProfile:AWS_EC2_INSTANCE_PROFILE_ROLE

executing this type of code w/boto 3:

self.as_client.create_launch_configuration(
                KeyName=f"{self.vpcid}-{self.profile_name}.pem",
                IamInstanceProfile=self.inst_prof_name,
                ImageId=self.ec2_inst.ami,
                InstanceType=self.ec2_inst.type,
                LaunchConfigurationName=self.ec2_inst.lc_name,
                SecurityGroups=[x.id for x in self.sec_groups.values()],
                UserData=userdata,
            )

I created 2 locally managed policies and attached them to a Role and assigned the role to an instance profile. (It seems boto3 does not allow viewing locally managed policies in the Role, only managed AWS ones, except when explicitly trying):

print(iam_client.get_role_policy(RoleName="EC2AppRole",PolicyName="CloudWatchSendPolicy"))
print(iam_client.get_role_policy(RoleName="EC2AppRole",PolicyName="AwsSecretsPolicy"))

Here's the Role w/ policy details:

== Role: EC2AppRole ==

{'RoleName': 'EC2AppRole', 'PolicyName': 'CloudWatchSendPolicy', 'PolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Action': ['autoscaling:Describe*', 'cloudwatch:', 'logs:', 'sns:'], 'Effect': 'Allow', 'Resource': ''}]},

{'RoleName': 'EC2AppRole', 'PolicyName': 'AwsSecretsPolicy', 'PolicyDocument': {'Version': '2012-10-17', 'Statement': {'Effect': 'Allow', 'Action': ['secretsmanager:Describe*', 'secretsmanager:Get*', 'secretsmanager:List*'], 'Resource': '*'}},

The Instance Profiles seems OK:

== Instance Profile == {'Path': '/', 'InstanceProfileName': 'AWS_EC2_INSTANCE_PROFILE_ROLE', 'InstanceProfileId': 'AIPAXQXBO3GJ2LGTKDJ3L', 'Arn': 'arn:aws:iam::516942649747:instance-profile/AWS_EC2_INSTANCE_PROFILE_ROLE', 'CreateDate': datetime.datetime(2020, 12, 24, 5, 30, 4, tzinfo=tzutc()), 'Roles': [{'Path': '/', 'RoleName': 'EC2AppRole', 'RoleId': 'AROAXQXBO3GJ2AUOHJMVV', 'Arn': 'arn:aws:iam::516942649747:role/EC2AppRole', 'CreateDate': datetime.datetime(2020, 12, 24, 5, 30, 4, tzinfo=tzutc()), 'AssumeRolePolicyDocument': {'Version': '2012-10-17', 'Statement': [{'Effect': 'Allow', 'Principal': {'Service': 'ec2.amazonaws.com'}, 'Action': 'sts:AssumeRole'}]}}]}

Sorry I don't know how to properly format this post very well.

Any information I can share to help clarify?

I've tested everything in the create_launch_configuration call to be correct as best I can tell.

Answer 1

Use a waiter:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#waiters

or time.sleep(x)

to make sure the resource is available.

(Will wait to self accept) - Initial testing suggests it's a waiting issue.