0

I have a fairly simple Lambda that I'm going to use to start and stop EC2 instances on a cron schedule. In it, I'm checking to see if the instance is already running or not.

# get instance
instance = ec2.Instance(instance_id)
  
# return if instance already running
if instance.state['Name'] in ["pending", "running"]:
  return True

When I execute the Lambda, I get the following error:

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

Here is a snippet of my policy, copied directly from IAM and edited to remove account info:

{
  "Sid": "",
  Effect": "Allow",
  Action": [
    "ec2:StopInstances",
    "ec2:StartInstances",
    "ec2:DescribeInstances"
  ],
  "Resource": "arn:aws:ec2:us-east-1:############:instance/i-#############"
},

For what reason would I be seeing this error under these circumstances? I've confirmed that my code that starts the instance works, I only see an error when I attempt to get the status of the instance.

S. Davenport
  • 140
  • 1
  • 7
  • 1
    https://stackoverflow.com/questions/36767975/why-does-applying-a-condition-to-ec2describeinstances-in-an-iam-policy-fail – Mark B Nov 16 '22 at 20:44
  • @MarkB I saw that answer and interpreted it in the completely opposite direction. Separating the "DescribeInstances" action to a separate statement with "*" resources worked. – S. Davenport Nov 16 '22 at 21:00
  • @S.Davenport Completely unrelated to your question. But something that relates to what you are trying to achieve. Refer [this AWS reference](https://aws.amazon.com/solutions/implementations/instance-scheduler-on-aws/) for a cloudformation which lets you do starting and stopping of instances based on a schedule – user11666461 Nov 17 '22 at 05:19

0 Answers0