1

I am currently trying to assign an IAM role to one of my instances via AWS CLI. The CLI is running on a linux instance that currently has Admin privileges for EC2 (AmazonEC2FullAccess policy).

I am trying to run the following command:

aws ec2 associate-iam-instance-profile --instance-id i-0xxxxxxxxxxx4 --iam-instance-profile Name=AmazonSSMRoleForInstancesQuickSetup

But I get the following error:

An error occurred (UnauthorizedOperation) when calling the AssociateIamInstanceProfile operation: You are not authorized to perform this operation. Encoded authorization failure message: <hash>

I am struggling to find what policy is required to allow this action from my AWS CLI instance. I even tried giving it the nuclear IAMFullAccess policy but I still got permission denied.

I've been trying to google it for a while now but I wasn't able to solve this problem by myself, please help.

Could you please tell me what policy is required in order to allow my instance to run aws ec2 associate-iam-instance-profile?

Additionally, is there a quick/easy way to find out what permissions are required to use certain aws cli functions?

Macko
  • 360
  • 2
  • 11
  • 1
    Maybe related: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html https://stackoverflow.com/questions/63148108/understanding-iam-passrole – luk2302 Feb 03 '22 at 17:46

2 Answers2

0

Thanks to the articles posted by @luk2302 I was able to solve this issue. I hope that it will help at least one person in the future!

I was able to solve it by adding an in-line policy to my machine's role via IAM. I am refering to the role attached to the machine I run AWS Cli on.

The in-line policy json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::00000000000:role/AmazonSSMRoleForInstancesQuickSetup"
        }
    ]
}

This in-line policy allowed me to assign the AmazonSSMRoleForInstancesQuickSetup role (and only this one) to the instances I create via terraform.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Macko
  • 360
  • 2
  • 11
0

You may be missing permission for the iam:PassRole action.

To help debug your error, you can pass the endoded message to aws sts decode-authorization-message, which should narrow down exactly what is being denied, as in:

aws sts decode-authorization-message --encoded-message <encoded-message>

To give permission to associate an instance profile, you can define a policy like this (this example is using Terraform):


resource "aws_iam_policy" "example" {
  name        = "example"
  description = "Allow for assigning EC2 instance profile"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect   = "Allow"
        Action   = "iam:GetInstanceProfile"
        Resource = <instance-profile-arn>
      },
      {
        Effect   = "Allow"
        Action   = "iam:PassRole"
        Resource = <role-used-for-instance-profile-arn>
      },
    ]
  })
}
Thomas M
  • 140
  • 1
  • 7