IAM user cannot see EC2 resources?

THE JOATMON

1/13/24, 4:53 PM

given the following role, why can my test IAM user not see any EC2 instances? When I login with the test user and go to EC2 I just see "You are not authorized to perform this operation".

As you can see, I built this through the GUI editor. What am I missing?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:DescribeHostReservations",
                "ec2:DescribeAddresses",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeInstanceEventNotificationAttributes",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeHosts",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeVolumes",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": [
                "arn:aws:license-manager:*:<redacted>:license-configuration:*",
                "arn:aws:ec2:*:<redacted>:instance/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Product": "Website"
                }
            }
        }
    ]
}

0 + 3

amazon-ec2

aws-ec2

Cadmium

1/13/24, 5:23 PM

As a test could you apply the permissions to Resource of "*" and remove the condition? The actions themselves look correct, so that might let you determine if it is the resource description or condition.

THE JOATMON

1/13/24, 7:15 PM

Same result with no conditions.

Cadmium

1/13/24, 8:39 PM

Only other thoughts are to keep permuting this (e.g. * for actions, but leave conditions and resources in). There are a lot of Describe* actions at https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions - I think DescribeInstances should be what you want, but have not tried to limit this way in the past myself. There is also a policy simulator that might be useful if you haven't tried it. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: IAM user cannot see EC2 resources?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.