Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam_instance_profile behavior when creating aws_instance #1976

Closed
hashibot opened this issue Oct 20, 2017 · 4 comments · Fixed by #2207
Closed

iam_instance_profile behavior when creating aws_instance #1976

hashibot opened this issue Oct 20, 2017 · 4 comments · Fixed by #2207
Labels
bug Addresses a defect in current functionality.

Comments

@hashibot
Copy link

This issue was originally opened by @schmidlop as hashicorp/terraform#16374. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.10.7

Terraform Configuration Files

resource "aws_instance" "just-docker" {
  ami             = "${data.aws_ami.just-docker-ami.id}"
  instance_type   = "t2.micro"
  key_name        = "aws_terraform_deployment_key"
  iam_instance_profile = "S3DockerImageAccess"
  tags = {
    Name = "just-docker"
  }
}

Expected Behavior

I was expecting the IAM role corresponding to the iam_instance_profile to be assigned to the instance.

Actual Behavior

terraform apply failed with message:
Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message:...

Steps to Reproduce

  1. terraform init
  2. terraform apply

Important Factoids

My credentials are in ~/.aws/credentials
The IAM Role does not have permissions to create EC2 instances.
The IAM role grants permissions to read and write a specific s3 bucket to be used as storage for docker registry.
Seems the role is being used to create the instance, rather than my AWS credentials. If I remove the iam_instance_profile attribute - everything is fine except the resulting ec2 instance is not assigned a IAM Role.

Seems like there should be a way to assign an IAM Role to an instance that doesn't have full permissions to EC2...
@hashibot hashibot added the bug Addresses a defect in current functionality. label Oct 20, 2017
@hashibot hashibot mentioned this issue Oct 20, 2017
Closed
@bflad
Copy link
Contributor

bflad commented Oct 20, 2017

The instance profile you pass to the aws_instance does not have to do with creating and running the instance itself. It is permissions granted to the running instance to access other resources.

Shots in the dark here:

  • does your IAM user have iam:PassRole permissions to the S3DockerImageAccess IAM role?
  • Does the S3DockerImageAccess IAM role assume role policy (trusted relationships in the UI) allow ec2.amazonaws.com?

@schmidlop
Copy link

Thank you!iam:PassRole was the problem. These links were helpful:

@bflad bflad mentioned this issue Nov 7, 2017
Merged
@bflad
Copy link
Contributor

bflad commented Nov 7, 2017

I created #2207 to update the aws_instance resource iam_instance_profile documentation.

@ghost
Copy link

ghost commented Apr 10, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality.
Projects
None yet
Milestone
No milestone
3 participants
@bflad @schmidlop @hashibot