AWS SSM: Automation Roles & IamInstanceProfileName

I’ve been neck deep in AWS EC2 Systems Manager (SSM) and let me tell yah, the documentation is in a sorry state; As such, here is another helpful hint for you. (Well and me too, if I ever forget this little tid-bit again…)

If your Automation Documents that contain an IamInstanceProfileName action are failing with an error that looks something link this…

Automation Step Execution fails when it is launching the instance(s). Get Exception from RunInstances API of ec2 Service. Exception Message from RunInstances API: [You are not authorized to perform this operation. Encoded authorization failure message: {{BIG NASTY BASE64 ERROR}} (Service: AmazonEC2; Status Code: 403; Error Code: UnauthorizedOperation; Request ID: e7feb002-b375–4bfc-3bd4–633943b9e158)]. Please refer to Automation Service Troubleshooting Guide for more diagnosis details.

… and then you, as a good little geek, check the said “Automation Service Troubleshooting Guide” to read that …

The assume role doesn’t have sufficient permission to invoke the RunInstances API on EC2 instances. To resolve this problem, attach an IAM policy to the assume role that has permission to invoke the RunInstances API. For more information, see the Method 2: Using IAM to Configure Roles for Automation.

… it might seem that you found your answer.

Sounds pretty cut and dried, until you check your Automation Role and it’s policies to see that you have full rights to execute EC2:RunInstance on anything in the account.

Here is the missing link / bit of detail: It’s not RunInstances that is failing, it’s IAM that is kicking you to the curb because your role doesn’t have the right to effect/influence/act on any IAM role objects.

You need to add this in-line policy to you Automation Role to get the whole thing to work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
              "Sid": "GrantsAccessToIAMRoles",
              "Effect": "Allow",
              "Action": [
                 "iam:*"
               ],
               "Resource": [
                   "arn:aws:iam::AWS-ACCOUNT-NUMBER:role/*"
               ]
        }
    ]
}

What you are doing is adding the right to act upon all role modifications in IAM under your AWS Account.

That is the missing link.