AWS EC2 instance create via Ansible IAM Roles instance_profile_name UnauthorizedOperation: Error

[Faisal Ali Rabbani]

 I am trying to create EC2 instance via ansible using IAM roles but I while launching new instance I get error

failed: [localhost] => (item= IAMRole-1) => {"failed": true, "item": " IAMRole-1"}
msg: Instance creation failed => UnauthorizedOperation: You are not authorized to perform
this operation. Encoded authorization failure message: Ckcjt2GD81D5dlF6XakTSDypnwrgeQb0k
ouRMKh3Ol1jue553EZ7OXPt6fk1Q1-4HM-tLNPCkiX7ZgJWXYGSjHg2xP1A9LR7KBiXYeCtFKEQIC
W9cot3KAKPVcNXkHLrhREMfiT5KYEtrsA2A-xFCdvqwM2hNTNf7Y6VGe0Z48EDIyO5p5DxdNFsaSChUcb
iRUhSyRXIGWr_ZKkGM9GoyoVWCBk3Ni2Td7zkZ1EfAIeRJobiOnYXKE6Q

whereas iam role has full ec2 access, with following policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "ec2:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "elasticloadbalancing:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "cloudwatch:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "autoscaling:*",
      "Resource": "*"
    }
  ]
}

Any suggestions please.

[Michael Peters]

Are you showing the credentials of the role you are using to create
the EC2 instance or those of the role the new EC2 instance will be?

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/2f8870b4-f57b-4cf9-925b-03f56636df12%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Faisal Ali Rabbani]

Obviously I have not shared credentials this is the policy of role, which has full access of ec2.

You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/sdx8b0L9iX0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJQqANeOq2nTtVMWpXG8EV3-9Qcpcqby9waUQMmiy5tdGMCjtw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

---

Regards,
Faisal Ali Rabbani

E-MAIL DISCLAIMER: The person(s) addressed in this e-mail is/are the sole
authorized recipient(s). Information contained in this message and it's
attachments are proprietary, may be confidential or privileged and is for the
named recipient(s) only, except where the sender specifically states otherwise.
If you are not the intended recipient, you may not copy or deliver this message
to anyone. No part of this material should be reproduced or published in any
form by any means; electronic or mechanical including photocopy or any
information storage or retrieval system nor should the material be disclosed to
3rd parties.

SECURITY WARNING: Please note that this e-mail has been created in the knowledge
that internet e-mail is not a 100% secure communications medium. We advise that
you understand and observe the lack of security when e-mailing us.

[Michael Peters]

On Thu, Jun 26, 2014 at 1:21 AM, Faisal Ali Rabbani
<rab...@zoniversal.com> wrote:
> Obviously I have not shared credentials this is the policy of role, which
> has full access of ec2.

Sorry, I wasn't clear. Are you showing the policy rules of the role
being created or the one doing the creation? It's the permissions of
the one doing the creation (not the one being attached to the new EC2
instance) that matters.

[Faisal Ali Rabbani]

thanks Micheal for response.

It is the policy doing the creation. 

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/sdx8b0L9iX0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJQqANeENcm5V7LsHBZo8BehNLGtXfsdF0zzQo1FNkYkHvPpxQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

[Paweł Guć]

Hi!

 I am trying to create EC2 instance via ansible using IAM roles but I while launching new instance I get error

Did you figure it out? 

[Baraa Basata]

Faisal,

Just to confirm that the IAM Instance Profile itself is set up correctly, are you able to successfully launch an EC2 instance with this IAM Role outside of Ansible, such as using the AWS Console?

-Baraa