How do I create Amazon EC2 instances through CloudFormation when the IAM policy for RunInstances has tag-based restrictions?

2 minute read
0

I want to create Amazon Elastic Compute Cloud (Amazon EC2) instances through AWS CloudFormation. My AWS Identity and Access Management (IAM) policy for RunInstances has tag-based restrictions.

Resolution

The Tags property of the AWS::EC2::Instance resource doesn't extend to the volumes that you create through CloudFormation. If the IAM policy that's associated with the user or role has restrictions on volume tags, then you receive the following error: "You are not authorized to perform this operation."

To pass the tags through CloudFormation to ec2:CreateVolume, you must define your tags in the AWS::EC2::LaunchTemplate resource in your CloudFormation template.

To set up this configuration, complete the following steps:

  1. Define a launch template resource in the stack with the required tags for the IAM policy and ResourceType set to volume.
    This is an example of the code that you can use:

    RequiredTagsLaunchTemplate:
        Type: 'AWS::EC2::LaunchTemplate'
        Properties:
          LaunchTemplateData:
            TagSpecifications:
              - ResourceType: volume
                Tags:
                  - Key: Env
                     Value: Dev
  2. Attach your launch template to your EC2 instance resource.
    This is an example of the code that you can use:

    Instance:
        Type: 'AWS::EC2::Instance'
        Properties:
          LaunchTemplate:
            LaunchTemplateId: !Ref RequiredTagsLaunchTemplate
            Version: 1
          InstanceType: r4.xlarge
          .
          .
      RequiredTagsLaunchTemplate:
        Type: 'AWS::EC2::LaunchTemplate'
        Properties:
          LaunchTemplateData:
            TagSpecifications:
              - ResourceType: volume
                Tags:
                  - Key: Env
                    Value: Dev
  3. Verify that your launch template has all the required tags, and then create or update your stack.

Important: The role or user that creates the stack must have permission to create and use a launch template without tagging restrictions. You can use the aws:CalledVia condition key to create a new statement that exempts CloudFormation API calls from tagging requirements.

AWS OFFICIAL
AWS OFFICIALUpdated 22 days ago