0

given the following role, why can my test IAM user not see any EC2 instances? When I login with the test user and go to EC2 I just see "You are not authorized to perform this operation".

As you can see, I built this through the GUI editor. What am I missing?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:DescribeHostReservations",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeInstanceEventNotificationAttributes",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeHosts",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": [
                "arn:aws:license-manager:*:<redacted>:license-configuration:*",
                "arn:aws:ec2:*:<redacted>:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Product": "Website"
                }
            }
        }
    ]
}
THE JOATMON
  • 275
  • 10
  • 31
  • As a test could you apply the permissions to Resource of "*" and remove the condition? The actions themselves look correct, so that might let you determine if it is the resource description or condition. – Cadmium Jan 13 '23 at 17:23
  • Same result with no conditions. – THE JOATMON Jan 13 '23 at 19:15
  • Only other thoughts are to keep permuting this (e.g. * for actions, but leave conditions and resources in). There are a lot of Describe* actions at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions - I think DescribeInstances should be what you want, but have not tried to limit this way in the past myself. There is also a policy simulator that might be useful if you haven't tried it. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html – Cadmium Jan 13 '23 at 20:39

0 Answers0