aws ec2 describe-instances IAM role does not work

4
votes

My EC2 instance has a IAM role below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "~~~~",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/myrole": "true"
                }
            }
        }
    ]
}

But when I run the "aws ec2 describe-instances --instance-id i-00169bf14adaf25e4" command,

I got error "An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation."

I tested full EC2 authority IAM role, and works.

And read this https://forums.aws.amazon.com/thread.jspa?messageID=512129 but it was about "Resource".

Official document does not talk about IAM role. (https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances.html)

I think I missed some "Action" part, but couldn't find it.

Can somebody tell me Which IAM role is suitable for me? or how can I find it?

Thanks for reading this.

1
amazon-ec2amazon-iam
Can you please describe what you are wanting to achieve? Are you trying to grant permission to call DescribeInstances, but only for instances that have a tag called myRole?John Rotenstein
@JohnRotenstein That's correct. get permission Describeinstances for instances that have a tag called myrole.qkqhxla1
I think your code is currently checking whether the Tag myRole has a value of true. (See IAM EC2 Resource Tags) I'm not sure whether you can simply test for existence of a tag name, regardless of value.John Rotenstein
I found this is not my fault.. I heard my company's role has a bug. that role, "ec2:ResourceTag/myrole": "true" is right. Thanks for answer. @JohnRotensteinqkqhxla1

1 Answers

4
votes

Use this policy and attach it to your IAM role (currently attached to your EC2 instance). This will return all instances in that account. Use the filters flag with tag :key option to only return instances with desired tag key/value pair.

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "ec2:DescribeInstances",
        "Resource": "*"
    }
]
}

ben5556 (Freelancer)