I’m unable to create instances with IAM role specified, I created a role, associated with the strategy below:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:Describe*”,
“Resource”: “"
},
{
“Effect”: “Allow”,
“Action”: “ec2:AttachVolume”,
“Resource”: "”
},
{
“Effect”: “Allow”,
“Action”: “ec2:DetachVolume”,
“Resource”: “"
},
{
“Effect”: “Allow”,
“Action”: [
"ec2:”
],
“Resource”: [
“"
]
},
{
“Effect”: “Allow”,
“Action”: [
"elasticloadbalancing:”
],
“Resource”: [
“*”
]
}
]
}
Rancher error:
Error creating machine: Error in driver during machine creation: Error launching instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: _qV3F3BWuZVYnL3nBDrrG5avBLwtc7r3E01qx94mGGSAeqjBaEQswqIFhfmLXWvzfvFqIqmJBYGYXFCIsdUYIDBJhpvDhMv5mCyiltdIYcYL2aQbIQf5PAAOXjIhuQRY9-9VgeRv3smosekOmss9qzA0pbDnNtznaBFQnmXgqJtKfdC4SqRH1hKnQIDlXuqMPVyvGtwWxv3OyXl3HJ84DGwV2v2X3TyTyoxDZ1rN7h-kV67Z3EHeP2tNNckpvWYEIrT5sOg3NSysh0rnuZJr4RQ3IQAQdWajZOxE4Uwx5jEicKJZU2CH0xxQ_7uMu-X6e1ZuVEgEGAs4sLhU5hDMcm_8i0q0AOB6CZRL-F-Dhk_wfdy8yCDCDCwTEVEVBvhoKB_vmm8U5PaV6oN3guXYQufBQx3rnHBQ_pnaBcUoDt9fwdaBftytAF58mXAT2smJSJoqXhY9hnGWfnIsyyTizijD7Qx-yRvgU8ssSgSyoTwhE_UCb8DOPCJTHZx1apZ6Mg
My role seems to be good, so I don’t understand. thank you
1 Like
The Access Key you are using is not allowed to pass IAM roles to machines. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
Thank you, do you have an example for me. I just tried to add the passrole permissions to my role but no success. 
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::XXX:role/your_role_name"
}
1 Like
I am facing the same issue, even though I have the policies and roles in place on a brand new installation.
“UnauthorizedOperation: You are not authorized to perform this operation.” when adding a node template.
From:
https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/#example-iam-policy
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteKeyPair"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:ap-southeast-2::image/ami-*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:instance/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:placement-group/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:volume/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:subnet/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:key-pair/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:network-interface/*",
"arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:security-group/*",
"arn:aws:iam::AWS_ACCOUNT_ID:role/RancherEC2Role"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:instance/*"
}
]
}
Tried adding “iam:GetRole” to the policy in the example as well, no luck.
Any feedback is welcome.
Thanks!
What was the fix for this. I am launching Rancher 2.5. I have verified my IAM policy. It has the PassRole and all the other settings required. But I am getting the same error indicated above.