I follow this link documentation
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5
I want to provide a user specific Image Launch permission which specified tag, "department=dev".
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "dev"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*",
"arn:aws:ec2:region:account:volume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
]
}
]
}
I also added a separated Describe police because i am using interface not cli .
But when i launch instances its show initialization failed and stop . I decode the error message and it provide me
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"it
ems\":[]},\"context\":{\"principal\":{\"id\":\"AIDAJXOEQNA64A677DGQO\",\"name\":\"DevOps1\",\"arn\":\"arn:aws:iam::95524
6940111:user/DevOps1\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:955246940111:network-interf
ace/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:Subnet\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:955
246940111:subnet/subnet-9d25b5b6\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"ke
y\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1c\"}]}},{\"key\":\"ec2:Vpc\",\"values\":{\"ite
ms\":[{\"value\":\"arn:aws:ec2:us-east-1:955246940111:vpc/vpc-ebeed48e\"}]}}]}}}"
Please help
Try adding
to the resource list in the policy.
That's what the decoded auth message is reporting as missing/wrong.
Also make sure you replace any instances of
regionandaccountwith the actual values in your policy, assuming you haven't already.