Undocumented IAM permissions required by Packer EBS builder

Scenario

You use Packer’s EBS builder for building your AMIs. Your environment is configured with AWS credentials that contain all IAM permissions listed by the builder.

==> amazon-ebs: Launching a source AWS instance...==> amazon-ebs: Adding tags to source instance    amazon-ebs: Adding tag: "Name": "Packer Builder"==> amazon-ebs: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: otX5J2DYKoU8w8_jW1NK4tkpflhmZV7RPr4b0849Q1xZXb2aStSd810GBZ30UE-80pgrzIXsf6VYU5L30-bmGFSQOsm8CwyM-Ixka6l0y80suznZoRghP3m5inNwZ3pWOqzivgcqh32D27u_EorICB3Eql3RwzjFtJ7nu1wsDK6n3f-vw5bsRQblTd7QeIBp-u_0jWTyUHacROWtsgZXEiGPzoe-a2yA0lpZw187smnW5y8_yiDjlTS7AgSU6fFfawNHh_7a11_5DxbBlTNTLD5A1rT7caf44kSsoBxAhMtehWrqCZyOn4Ma5ZlSq7g7o-M0pp793NlxcKWUSVNp8zBX9UFwxv_6EIg2fhMsszjMsDcXk_wlHxrOKrhWiy9McaNfrgnT4J96qo2aILA3516_xBBfpzVSIMkeLblYpc7y8Cm6nCz81mnVf2ocPhmHIbJrJFmV0mlW00hLNXHp2xbGybd6Y10Jg-lBk7bYfybBSSgrv0Dxj_UMh7sY9LN0Q9d3b9sw2Qc_WdpDCCWJok2EsMZ0bd2Kf4RLfbpnfh76==> amazon-ebs:  status code: 403, request id: xxxxx-xxxxx-xxxxx
aws sts decode-authorization-message --encoded-message <ENCODED MESSAGE HERE>
An error occurred (InvalidAuthorizationMessageException) when calling the DecodeAuthorizationMessage operation: Not authorized to decode message

The problem

Packer wasn’t able to assign an instance profile to an EC2 machine that it provisions. This is because the instance profile itself could have permissions different from Packer.

iam:PassRole
ec2:AssociateIamInstanceProfile
ec2:ReplaceIamInstanceProfileAssociation

--

--

Site Reliability Engineer at shuttl.com | github.com/duaraghav8

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store