AWS EC2 Image Builder Lifecyle Policy execution failed with authorized error
I have an EC2 Image Builder lifecycle policy that should keep on the most recent images, but I see that it constantly fails with an error when triggered:
Unable to describe attributes of ami-01efe7b0d3f5e27c1 by ec2:DescribeImageAttribute. Error: You are not authorized to perform this operation. User: arn:aws:sts::XXXX:assumed-role/AWSServiceRoleForImageBuilder/ImageBuilder is not authorized to perform: ec2:DescribeImageAttribute on resource: arn:aws:ec2:eu-central-1::image/ami-01efe7b0d3f5e27c1 because no identity-based policy allows the ec2:DescribeImageAttribute action.
Please advice, have no clue what might be wrong, I do have the managed AWSServiceRoleForImageBuilder role and it has all necessary permissions and is used in the lifecycle policy.
Solution
I had the same problem. I fixed it by creating my own role, which I use for both the pipeline and lifecycle policy.
Permissions:
EC2ImageBuilderLifecycleExecutionPolicy
EC2InstanceProfileForImageBuilder
EC2InstanceProfileForImageBuilderECRContainerBuilds
Inline:
{ "Sid": "LifecyclePolicyNeedsMorePermission", "Effect": "Allow", "Action": [ "ec2:DescribeImageAttribute" ], "Resource": "*" }
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "imagebuilder.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- AWS AppSync Lambda authoriser always results in "Error: Request failed with status code 401"
- How to make CloudFront never cache index.html on S3 bucket
- AWS Cognito - How to force select account when signing in with Google
- aws_instance - changing volume_size
- couldn't get current server API group list: the server has asked for the client to provide credentials error: You must be logged in to the server
- aws s3 ls: An HTTP Client raised an unhandled exception: Invalid header value
- LocalStack TestContainer + AWS SQS + Spring Boot -> Unable to execute HTTP request
- Deleting cognito user & identity has no affect on user access
- I am trying to add a cloudfront behavior to my an origin and I am getting InvalidArgument: The parameter CachedMethods is required
- Zip multiple S3 files and stream the archive back to S3 using limited memory
- AWS public IPv4 address usage
- run scheduled task in AWS without cron
- Why can't I connect AWS RDS instance from EC2 instance in another VPC after peering
- Target Group Binding not getting created for an ALB
- How to rename MYSQL database in RDS?
- Why does Getting a record, modifying its primary key, and then Putting it back seem to overwrite the record if the primary keys are different?
- How do you add python packages in AWS Glue 3.0 Jupyter Notebook jobs?
- Running Jupyter Notebook on AWS Lambda
- Use AWS Lambda to execute a jupyter notebook on AWS Sagemaker
- Retrieve Amazon Reviews user emails through API
- How to link "aws_apigatewayv2_route" with "aws_apigatewayv2_integration"?
- Security group setup to restrict EC2 to VPC lambda
- Get files names in sub-directories in a directory in AWS3 by C#
- AWS EC2 Connection closed by when trying ssh into instance
- Selling Partner API Amazon 400 bad request
- AWS credentials from 'Single Sign On' expire too frequently - how can I get credentials with a longer lifetime?
- How to connect a lambda to a database accessible locally on Mac's localhost when using sam
- AWS EC2 Placement Groups: Partition vs Spread
- Can I trace every request using AWS X-Ray?
- Lambda cold start possible solution?