How do I create Amazon EC2 instances through CloudFormation when the IAM policy for RunInstances has tag-based restrictions?

2 minute read

I want to create Amazon Elastic Compute Cloud (Amazon EC2) instances through AWS CloudFormation. But my AWS Identity and Access Management (IAM) policy for RunInstances has tag-based restrictions.

Short description

You can use a launch template to create Amazon EC2 instances through CloudFormation.

The Tags property of the AWS::EC2::Instance resource doesn't extend to the volumes that are created through CloudFormation. If the IAM policy that's associated with the user or role has restrictions on volume tags, then you receive the following error:

"You are not authorized to perform this operation."

To pass the tags through CloudFormation to ec2:CreateVolume, you must define your tags in the AWS::EC2::LaunchTemplate resource in your CloudFormation template.

Resolution

1. Define a launch template in the stack with the tags that the IAM policy requires. For example:

RequiredTagsLaunchTemplate:
    Type: 'AWS::EC2::LaunchTemplate'
    Properties:
      LaunchTemplateData:
        TagSpecifications:
          - ResourceType: volume
            Tags:
              - Key: Env
                 Value: Dev

2. Attach your launch template to your EC2 instance resource. For example:

Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      LaunchTemplate:
        LaunchTemplateId: !Ref RequiredTagsLaunchTemplate
        Version: 1
      InstanceType: r4.xlarge
      .
      .
  RequiredTagsLaunchTemplate:
    Type: 'AWS::EC2::LaunchTemplate'
    Properties:
      LaunchTemplateData:
        TagSpecifications:
          - ResourceType: volume
            Tags:
              - Key: Env
                Value: Dev

3. Confirm that your launch template has all the necessary tags.

Important: You must confirm that the role or user that creates the stack has the permissions to create and use a launch template without tagging restrictions. You can use the aws:CalledVia condition key to create a new statement that exempts CloudFormation API calls from tagging requirements.

Topics

Management & Governance

Relevant content

ImageId requried when launching instance via a Launch Template
rePost-User-7476678
asked a year ago
Create IAM Policy to restrict user
Abdul Malik
asked a month ago
Restricting access to EC2 instances using IAM Policy
Accepted Answer
FredericD
asked 2 years ago
How to find IAM access permissions needed to launch a Cloudformation template?
ConfidentialDev
asked 8 months ago
How to create the AWS iam policy for hide the ec2 instance based on tags
Accepted Answer
KARTHIK
asked 8 months ago
How do I set the properties of a root volume for an Amazon EC2 instance that I created using an AWS CloudFormation template?
AWS OFFICIALUpdated 2 years ago
How can I use IAM policy tags to restrict how an EC2 instance or EBS volume can be created?
AWS OFFICIALUpdated 2 years ago
How do I create an IAM policy to explicitly grant permissions to create and manage EC2 instances in a specified VPC that has tags?
AWS OFFICIALUpdated 10 days ago
Why can’t I launch an EC2 instance using a launch template?
AWS OFFICIALUpdated a year ago
CloudFormation Auto Scaling Group sample template for mixed X86 (Intel, AMD) and AWS Graviton instances
EXPERT
MichaelFischer
published 7 months ago