AWS::AutoScaling::LaunchConfiguration You are not authorized to perform this operation

1
votes

While cloudformation is building the stack, I get the following error:

AWS::AutoScaling::LaunchConfiguration N1ClusterServerLaunchConfig You are not authorized to perform this operation

I have admin full access user privileges. But, still this fails. Is the authorization due to the IAMs defined inside the template? 

    "N1ClusterServerAutoScale": {
  "Type": "AWS::AutoScaling::AutoScalingGroup",
  "Properties": {
    "AvailabilityZones": {
      "Fn::GetAZs": ""
    },
    "LaunchConfigurationName": {
      "Ref": "N1ClusterServerLaunchConfig"
    },
    "MinSize": "2",
    "MaxSize": "64",
    "DesiredCapacity": {
      "Ref": "ClusterSize"
    },
    "Tags": [
      {
        "Key": "Name",
        "Value": {
          "Ref": "AWS::StackName"
        },
        "PropagateAtLaunch": true
      }
    ]
  },
  "Metadata": {
    "AWS::CloudFormation::Designer": {
      "id": "a715af00-ebba-4fab-a817-d5ee1986dfe7"
    }
  }
},
"N1ClusterServerLaunchConfig": {
  "Type": "AWS::AutoScaling::LaunchConfiguration",
  "Properties": {
    "ImageId": {
      "Fn::FindInMap": [
        "RegionMap",
        {
          "Ref": "AWS::Region"
        },
        "hvm"
      ]
    },
    "InstanceType": {
      "Ref": "InstanceType"
    },
    "KeyName": {
      "Ref": "KeyPair"
    },
    "SecurityGroups": [
      {
        "Ref": "N1ClusterSecurityGroup"
      },
      {
        "Ref": "N1NodeSecurityGroup"
      }
    ],
    "IamInstanceProfile": {
      "Ref": "IamInstanceProfile"
    },

IAM

   "AllowComputeFrom": {
      "Description": "The net block (CIDR) that N1-COMPUTE is available to.",
      "Default": "0.0.0.0/0",
      "Type": "String"
    },
    "IamInstanceProfile": {
      "Description": "The name of an IAM Profile which can access required S3 buckets and instances.",
      "Default": "arn:aws:iam::247256189695:instance-profile/n1-compute-instance",
      "Type": "String"
    },
    "IamInstanceProfileShort": {
      "Description": "The last part of the name of an IAM Profile which can create instances.",
      "Default": "n1-compute-instance",
      "Type": "String"
    },
1
amazon-web-servicesamazon-cloudformation
Share your IAM policies for your user or the user you are using with CF.George M Whitaker
thanks for your reply. My account IAM permission is admin full access. The iam defined in the template is updated above.Sam
Are you creating the IAM in the template. There's a known issue with a timing/race condition that policies don't instantly attach to the Roles if both are defined in the template.Tim Bassett

1 Answers

0
votes

ec2:RunInstances is required to use a Launch template