I am using the "aws ec2 run-instances" command (from the awscli package) to launch an instance in AWS EC2. I want to set an IAM role on the instance I am launching. The IAM role is configured and I can use it successfully when launching an instance from the AWS web UI. But when I try to do this using that command, and the "--iam-instance-profile" option, it failed. Doing "aws ec2 run-instances help" shows Arn= and Name= subfields for the value. When I try to look up the Arn using "aws iam list-instance-profiles" it gives this error message:
A client error (AccessDenied) occurred: User:
arn:aws:sts::xxxxxxxxxxxx:assumed-role/shell/i-15c2766d is not
authorized to perform: iam:ListInstanceProfiles on resource:
arn:aws:iam::xxxxxxxxxxxx:instance-profile/
(where xxxxxxxxxxxx is my AWS 12-digit account number)
I looked up the Arn string via the web UI and used that via "--iam-instance-profile Arn=arn:aws:iam::xxxxxxxxxxxx:instance-profile/shell" on the run-instances command, and that failed with:
A client error (UnauthorizedOperation) occurred: You are not
authorized to perform this operation.
If I leave off the "--iam-instance-profile" option entirely, the instance will launch but it will not have the IAM role setting I need. So the permission seems to have something to do with using "--iam-instance-profile" or accessing IAM data. I repeated several times in case of AWS glitches (they happen sometimes) and no success.
I suspected that perhaps there is a restriction that an instance with an IAM role is not allowed to launch an instance with a more powerful IAM role. But in this case, the instance I am doing the command in has the same IAM role that I am trying to use. named "shell" (though I also tried using another one, no luck).
Is setting an IAM role not even permitted from an instance (via its
IAM role credentials)?
Is there some higher IAM role permission needed to use IAM roles,
than is needed for just launching a plain instance?
Is "--iam-instance-profile" the appropriate way to specify an IAM
role?
Do I need to use a subset of the Arn string, or format it in some other way?
Is it possible to set up an IAM role that can do any IAM role
accesses (maybe a "Super Root IAM" ... making up this name)?
FYI, everything involves Linux running on the instances. Also, I am running all this from an instance because I could not get these tools installed on my desktop. That and I do not want to put my IAM user credentials on any AWS storage as advised by AWS here.
after answered:
I did not mention the launching instance permission of "PowerUserAccess" (vs. "AdministratorAccess") because I did not realize additional access was needed at the time the question was asked. I assumed that the IAM role was "information" attached to the launch. But it really is more than that. It is a granting of permission.
