I am trying to give access on test user with limited permission on ec2 instance to perform server start and stop activity. Unfortunately I am getting this message on testuser
dashboard:
**Error:
You are not authorized to perform this operation. User: arn:aws:iam::XXXXXXXXXXXX:user/testuser is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
"arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
"Condition": {
"StringEquals": {
"ec2:InstanceId": [
"i-XXXXXXXXXXXXXXXXX"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
"Condition": {
"StringEquals": {
"ec2:InstanceId": [
"i-XXXXXXXXXXXXXXXXX"
]
}
}
}
]
}
Please help me.
2
Answers
When accessing the Amazon EC2 management console, users will be presented with a list of EC2 instances in that region.
To display this information, the management console makes a
DescribeInstances
call to AWS on behalf of the user to retrieve a list of ALL instances. However, looking at your policy, thetestuser
does not have permission to list ALL instances. Therefore, the management console gives an error message.You have three choices:
Option 1: Allow the
testuser
to callDescribeInstances
on ALL instances, not just the two you have listed in your policy.Option 2: Ignore the error. Instead, give the user URLs that will take them directly to the desired instance in the console without going via the ‘Instances’ screen in the console. You can do this by having somebody with the necessary permission go to the instance, then just copy the URL and provide it to your testing person. They can then use that URL to go directly to the instance to start/stop the instance.
Option 3: Don’t use the console. Instead, have your testing person use the AWS CLI:
To start an instance:
To stop an instance:
I tested a smaller version of your policy:
I could not access the console page for the instance. It said
not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
.However, I could use the AWS CLI to stop and start the instances. This would be the easiest method to let your Test users control the instance, without needing to access the EC2 management console.