Hello world! Problem with CF and launch template

Hi

You need EC2 full access or at a minimum, EC2:RunInstances permission in your user IAM role to use an autoscaling group in a launch template.

See https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-launch-template-permissions.html for a sample of the permissions required.

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup"
            ],
            "Resource":"*",
            "Condition":{
                "StringEquals":{
                    "autoscaling:ResourceTag/environment":"test"
                }
            }
        },
        {
            "Effect":"Allow",
            "Action":[
                "autoscaling:Describe*",
                "ec2:RunInstances"
            ],
            "Resource":"*"
        }
    ]
}

ec2:RunInstances are checked when an Auto Scaling group is created or updated using a launch template. If you want to restrict access to the resources that are used to launch an instance or otherwise limit what IAM users can do, you must modify this policy to add your own statements that filter these permissions.

Also see this troubleshooting article:

https://docs.aws.amazon.com/autoscaling/ec2/userguide/ts-as-launch-template.html#ts-launch-template-unauthorized-error

You are not authorized to use launch template (insufficient IAM permissions)

Problem: When you try to specify a launch template for an Auto Scaling group, you get the You are not authorized to use launch template error.

Cause 1: If you are attempting to use a launch template, and the IAM credentials that you are using do not have sufficient permissions, you receive an error that you're not authorized to use the launch template.

Solution 1: Verify that the IAM credentials that you are using to make the request has permissions to call the EC2 API actions you need, including the ec2:RunInstances action. If you specified any tags in your launch template, you must also have permission to use the ec2:CreateTags action.

Solution 2: Verify that the IAM credentials that you are using to make the request is assigned the AmazonEC2FullAccess policy. This AWS managed policy grants full access to all Amazon EC2 resources and related services, including Amazon EC2 Auto Scaling, CloudWatch, and Elastic Load Balancing.

Cause 2: If you are attempting to use a launch template that specifies an instance profile, you must have IAM permission to pass the IAM role that is associated with the instance profile.

Solution 3: Verify that the IAM credentials that you are using to make the request has the correct permissions to pass the specified role to the Amazon EC2 Auto Scaling service. For more information, see IAM role for applications that run on Amazon EC2 instances. For further troubleshooting topics related to instance profiles, see Troubleshooting Amazon EC2 and IAM in the IAM User Guide.

For more information about setting up IAM permissions for launch templates, see Launch template support.****

All is works, Thanks!