How do I resolve the "Did not have IAM permissions to process tags on AWS::EC2::Instance resource" error when I create an AWS::EC2::Instance resource in CloudFormation?

Last updated: 2021-04-21

I receive the "Did not have IAM permissions to process tags on AWS::EC2::Instance resource" error when I try to create an AWS::EC2::Instance resource in AWS CloudFormation.

Short description

You receive this error when you create an AWS::EC2::Instance resource and the following is true:

  • You specify a value for the Tags property in your CloudFormation template.
  • The AWS Identity and Access Management (IAM) user, IAM role, or CloudFormation service role doesn't have the required ec2:CreateTags permissions.

When this error occurs, the custom tags specified using the Tags property aren't applied to the EC2 instance even though the resource is marked CREATE_COMPLETE.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Resolution

1.    Confirm that the IAM user, IAM role, or CloudFormation service role that creates the CloudFormation stack has permissions to perform ec2:CreateTags and ec2:DeleteTags on your affected EC2 instances.

2.    Use the CloudFormation console or AWS CLI to comment out the Tags property of the AWS::EC2::Instance resource in your affected CloudFormation template. Then, update your stack.

Using the CloudFormation console:

In your CloudFormation template, comment out the Tags property, and then update your stack. For example:

Resources:
  MyEC2Instance: 
    Type: AWS::EC2::Instance
    Properties: 
#      Tags: 
#      - Key: key1
#        Value: value1
#      - Key: key2
#        Value: value2

Using the AWS CLI:

Run the update-stack command:

aws cloudformation update-stack --region YOUR_REGION --template-body file://YOUR_TEMPLATE_FILE_TAGS_COMMENTED —stack-name YOUR_STACK_NAME

Note: Replace YOUR_REGION, YOUR_TEMPLATE_FILE_TAGS_COMMENTED, and YOUR_STACK_NAME with your values.

3.    Use the CloudFormation console or AWS CLI to uncomment the Tags property of the AWS::EC2::Instance resource in your affected CloudFormation template. Then, update your stack again.

Using the CloudFormation console:

In your CloudFormation template, remove the comments from the Tags property, and then update your stack. For example:

Resources:
  MyEC2Instance: 
    Type: AWS::EC2::Instance
    Properties: 
      Tags: 
      - Key: key1
        Value: value1
      - Key: key2
        Value: value2

Using the AWS CLI:

Run the update-stack command:

aws cloudformation update-stack --region YOUR_REGION --template-body file://YOUR_TEMPLATE_FILE_TAGS_UNCOMMENTED —stack-name YOUR_STACK_NAME

Note: Replace YOUR_REGION, YOUR_TEMPLATE_FILE_TAGS_UNCOMMENTED, and YOUR_STACK_NAME with your values.

4.    Use the EC2 console or AWS CLI to check if your tags are correctly applied to your Amazon Elastic Compute Cloud (Amazon EC2) instances.

Using the Amazon EC2 console:

1.    Open the Amazon EC2 console.

2.    From the Instances section of the navigation pane, choose Instances.

3.    Select the instance that was created through CloudFormation.

4.    Choose the Tags tab, and then check if the custom tags specified in your CloudFormation template are populated in the table.

Using the AWS CLI:

Run the describe-tags command:

aws ec2 describe-tags —filters "Name=resource-id,Values=YOUR_INSTANCE_ID"

Note: Replace YOUR_INSTANCE_ID with the instance ID of the EC2 instance from your stack.


Did this article help?


Do you need billing or technical support?