Amazon EC2 Tag Based Launch Permission

166 views Asked by At

I follow this link documentation

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5

I want to provide a user specific Image Launch permission which specified tag, "department=dev".

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
         "arn:aws:ec2:region::image/ami-*"
      ],
      "Condition": {
         "StringEquals": {
            "ec2:ResourceTag/department": "dev"
         }
      }
   },
   {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [ 
          "arn:aws:ec2:region:account:instance/*",
          "arn:aws:ec2:region:account:volume/*",
          "arn:aws:ec2:region:account:key-pair/project_keypair",
          "arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
         ]
      }
   ]
}

I also added a separated Describe police because i am using interface not cli .

But when i launch instances its show initialization failed and stop . I decode the error message and it provide me

{
    "DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"it
ems\":[]},\"context\":{\"principal\":{\"id\":\"AIDAJXOEQNA64A677DGQO\",\"name\":\"DevOps1\",\"arn\":\"arn:aws:iam::95524
6940111:user/DevOps1\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:955246940111:network-interf
ace/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:Subnet\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:955
246940111:subnet/subnet-9d25b5b6\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"ke
y\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1c\"}]}},{\"key\":\"ec2:Vpc\",\"values\":{\"ite
ms\":[{\"value\":\"arn:aws:ec2:us-east-1:955246940111:vpc/vpc-ebeed48e\"}]}}]}}}"

Please help

1

There are 1 answers

0
thatdamncat On

Try adding

"arn:aws:ec2:us-east-1:955246940111:network-interface/*"

to the resource list in the policy.

That's what the decoded auth message is reporting as missing/wrong.

Also make sure you replace any instances of region and account with the actual values in your policy, assuming you haven't already.