EC2 RunInstance Issue with Assumed Role

Question

I'm using the AWS SDK v2 in Golang to launch EC2 instances. When I use my personal AWS credentials, the RunInstance call works as expected, but with the assumed role generated from the EC2 instance's IAM policy, the call returns no error but the instance immediately enters the shutting-down/terminated state after leaving the pending state. The CloudTrail logs show only userIdentity as different between the two cases.

I've tried various IAM policy adjustments without success and unsure how to diagnose this further.

How the config is loaded

I do not have a default vpc set and as far as I can tell it is correctly assuming the role.

cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithDefaultRegion(region))

I have also played around with adding config.WithAssumeRoleCredentialOptions but using this seems to not affect the assumed role at all. for example setting the session name dose not even seem to do anything.

awsconfig.LoadDefaultConfig(ctx, awsconfig.WithDefaultRegion(region), config.WithAssumeRoleCredentialOptions(
            func(aro *stscreds.AssumeRoleOptions) {
                aro.RoleSessionName = "session-name"
            }))

RunInstance input

to give a rough idea of what I am attempting to pass in

extraDisk := types.BlockDeviceMapping{
        DeviceName: aws.String("/dev/sda1"),
        Ebs: &types.EbsBlockDevice{
            DeleteOnTermination: aws.Bool(true),
            VolumeSize:          aws.Int32(diskSize),
            VolumeType:          types.VolumeTypeStandard,
        },
    }
ec2.RunInstancesInput{
        KeyName:                           aws.String(key),
        ImageId:                           aws.String(image),
        InstanceType:                      types.InstanceType("t2.medium"),
        MinCount:                          aws.Int32(1),
        MaxCount:                          aws.Int32(1),
        SecurityGroupIds:                  []string{secGroupID},
        InstanceInitiatedShutdownBehavior: types.ShutdownBehaviorTerminate,
        BlockDeviceMappings:               []types.BlockDeviceMapping{extraDisk},
        TagSpecifications:                 tags,
        SubnetId:                          aws.String(subnet),
        UserData:                          aws.String(encodedJobData),
        PrivateIpAddress:                  aws.String(ipReserved),
    }

Trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

attached policy

for debugging reasons it's currently at this extreme case. CloudTrail also seems to indicate that only ec2 resources are being used in this call so this should be sufficient

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:DescribeLogStreams",
                "logs:DescribeLogGroups",
                "logs:CreateLogStream",
                "logs:CreateLogGroup",
                "ec2:*"
            ],
            "Resource": "*"
        }
    ]
}