Unable to create instances with IAM role specified

I’m unable to create instances with IAM role specified, I created a role, associated with the strategy below:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “ec2:Describe*”,
“Resource”: “"
},
{
“Effect”: “Allow”,
“Action”: “ec2:AttachVolume”,
“Resource”: "

},
{
“Effect”: “Allow”,
“Action”: “ec2:DetachVolume”,
“Resource”: “"
},
{
“Effect”: “Allow”,
“Action”: [
"ec2:

],
“Resource”: [
"
]
},
{
“Effect”: “Allow”,
“Action”: [
"elasticloadbalancing:

],
“Resource”: [
“*”
]
}
]
}

Rancher error:
Error creating machine: Error in driver during machine creation: Error launching instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: _qV3F3BWuZVYnL3nBDrrG5avBLwtc7r3E01qx94mGGSAeqjBaEQswqIFhfmLXWvzfvFqIqmJBYGYXFCIsdUYIDBJhpvDhMv5mCyiltdIYcYL2aQbIQf5PAAOXjIhuQRY9-9VgeRv3smosekOmss9qzA0pbDnNtznaBFQnmXgqJtKfdC4SqRH1hKnQIDlXuqMPVyvGtwWxv3OyXl3HJ84DGwV2v2X3TyTyoxDZ1rN7h-kV67Z3EHeP2tNNckpvWYEIrT5sOg3NSysh0rnuZJr4RQ3IQAQdWajZOxE4Uwx5jEicKJZU2CH0xxQ_7uMu-X6e1ZuVEgEGAs4sLhU5hDMcm_8i0q0AOB6CZRL-F-Dhk_wfdy8yCDCDCwTEVEVBvhoKB_vmm8U5PaV6oN3guXYQufBQx3rnHBQ_pnaBcUoDt9fwdaBftytAF58mXAT2smJSJoqXhY9hnGWfnIsyyTizijD7Qx-yRvgU8ssSgSyoTwhE_UCb8DOPCJTHZx1apZ6Mg

My role seems to be good, so I don’t understand. thank you

1 Like

The Access Key you are using is not allowed to pass IAM roles to machines. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

Thank you, do you have an example for me. I just tried to add the passrole permissions to my role but no success. :frowning:

    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::XXX:role/your_role_name"
    }
1 Like

I am facing the same issue, even though I have the policies and roles in place on a brand new installation.

“UnauthorizedOperation: You are not authorized to perform this operation.” when adding a node template.

From:

https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/#example-iam-policy

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:Describe*",
                "ec2:ImportKeyPair",
                "ec2:CreateKeyPair",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteKeyPair"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "ec2:RunInstances"
            ],
            "Resource": [
                "arn:aws:ec2:ap-southeast-2::image/ami-*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:instance/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:placement-group/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:volume/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:subnet/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:key-pair/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:network-interface/*",
                "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:security-group/*",
                "arn:aws:iam::AWS_ACCOUNT_ID:role/RancherEC2Role"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:TerminateInstances",
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:ap-southeast-2:AWS_ACCOUNT_ID:instance/*"
        }
    ]
}

Tried adding “iam:GetRole” to the policy in the example as well, no luck.

Any feedback is welcome.

Thanks!

What was the fix for this. I am launching Rancher 2.5. I have verified my IAM policy. It has the PassRole and all the other settings required. But I am getting the same error indicated above.