skip to Main Content

I am trying to give access on test user with limited permission on ec2 instance to perform server start and stop activity. Unfortunately I am getting this message on testuser dashboard:

**Error:
You are not authorized to perform this operation. User: arn:aws:iam::XXXXXXXXXXXX:user/testuser is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Resource": [
                "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
                "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceId": [
                        "i-XXXXXXXXXXXXXXXXX"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:XXXXXXXXXXXX:instance/i-XXXXXXXXXXXXXXXXX",
            "Condition": {
                "StringEquals": {
                    "ec2:InstanceId": [
                        "i-XXXXXXXXXXXXXXXXX"
                    ]
                }
            }
        }
    ]
} 

Please help me.

2

Answers


  1. When accessing the Amazon EC2 management console, users will be presented with a list of EC2 instances in that region.

    To display this information, the management console makes a DescribeInstances call to AWS on behalf of the user to retrieve a list of ALL instances. However, looking at your policy, the testuser does not have permission to list ALL instances. Therefore, the management console gives an error message.

    You have three choices:

    Option 1: Allow the testuser to call DescribeInstances on ALL instances, not just the two you have listed in your policy.

    Option 2: Ignore the error. Instead, give the user URLs that will take them directly to the desired instance in the console without going via the ‘Instances’ screen in the console. You can do this by having somebody with the necessary permission go to the instance, then just copy the URL and provide it to your testing person. They can then use that URL to go directly to the instance to start/stop the instance.

    Option 3: Don’t use the console. Instead, have your testing person use the AWS CLI:

    To start an instance:

    aws ec2 start-instances --instance-ids i-1234567890abcdef0
    

    To stop an instance:

    aws ec2 stop-instances --instance-ids i-1234567890abcdef0
    
    Login or Signup to reply.
  2. I tested a smaller version of your policy:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances"
                ],
                "Resource": [
                    "arn:aws:ec2:ap-southeast-2:111111111111:instance/i-0829407d881f5e4df"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances"
                ],
                "Resource": "arn:aws:ec2:ap-southeast-2:111111111111:instance/i-0829407d881f5e4df"
            }
        ]
    }
    

    I could not access the console page for the instance. It said not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action.

    However, I could use the AWS CLI to stop and start the instances. This would be the easiest method to let your Test users control the instance, without needing to access the EC2 management console.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search