amazon-web-servicesamazon-ec2amazon-iampolicy

not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

I am trying to give access on test user with limited permission on ec2 instance to perform server start and stop activity. Unfortunately I am getting this message on testuser dashboard:

**Error: You are not authorized to perform this operation. User: arn:aws:iam::XXXXXXXXXXXX:user/testuser is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
                "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceId": [
                        "i-XXXXXXXXXXXXXXXXX"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceId": [
                        "i-XXXXXXXXXXXXXXXXX"
                    ]
                }
            }
        }
    ]
}

Please help me.

Solution

  • When accessing the Amazon EC2 management console, users will be presented with a list of EC2 instances in that region.

    To display this information, the management console makes a DescribeInstances call to AWS on behalf of the user to retrieve a list of ALL instances. However, looking at your policy, the testuser does not have permission to list ALL instances. Therefore, the management console gives an error message.

    You have three choices:

    Option 1: Allow the testuser to call DescribeInstances on ALL instances, not just the two you have listed in your policy.

    Option 2: Ignore the error. Instead, give the user URLs that will take them directly to the desired instance in the console without going via the 'Instances' screen in the console. You can do this by having somebody with the necessary permission go to the instance, then just copy the URL and provide it to your testing person. They can then use that URL to go directly to the instance to start/stop the instance.

    Option 3: Don't use the console. Instead, have your testing person use the AWS CLI:

    To start an instance:

    aws ec2 start-instances --instance-ids i-1234567890abcdef0

    To stop an instance:

    aws ec2 stop-instances --instance-ids i-1234567890abcdef0