21

I am using the "aws ec2 run-instances" command (from the AWS Command Line Interface (CLI)) to launch an Amazon EC2 instance. I want to set an IAM role for the EC2 instance I am launching. The IAM role is configured and I can use it successfully when launching an instance from the AWS web UI. But when I try to do this using that command, and the "--iam-instance-profile" option, it failed. Doing "aws ec2 run-instances help" shows Arn= and Name= subfields for the value. When I try to look up the Arn using "aws iam list-instance-profiles" it gives this error message:

A client error (AccessDenied) occurred: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/shell/i-15c2766d is not authorized to perform: iam:ListInstanceProfiles on resource: arn:aws:iam::xxxxxxxxxxxx:instance-profile/

(where xxxxxxxxxxxx is my AWS 12-digit account number)

I looked up the Arn string via the web UI and used that via "--iam-instance-profile Arn=arn:aws:iam::xxxxxxxxxxxx:instance-profile/shell" on the run-instances command, and that failed with:

A client error (UnauthorizedOperation) occurred: You are not authorized to perform this operation.

If I leave off the "--iam-instance-profile" option entirely, the instance will launch but it will not have the IAM role setting I need. So the permission seems to have something to do with using "--iam-instance-profile" or accessing IAM data. I repeated several times in case of AWS glitches (they happen sometimes) and no success.

I suspected that perhaps there is a restriction that an instance with an IAM role is not allowed to launch an instance with a more powerful IAM role. But in this case, the instance I am doing the command in has the same IAM role that I am trying to use. named "shell" (though I also tried using another one, no luck).

  • Is setting an IAM role not even permitted from an instance (via its IAM role credentials)?

  • Is there some higher IAM role permission needed to use IAM roles, than is needed for just launching a plain instance?

  • Is "--iam-instance-profile" the appropriate way to specify an IAM role?

  • Do I need to use a subset of the Arn string, or format it in some other way?

  • Is it possible to set up an IAM role that can do any IAM role accesses (maybe a "Super Root IAM" ... making up this name)?

FYI, everything involves Linux running on the instances. Also, I am running all this from an instance because I could not get these tools installed on my desktop. That and I do not want to put my IAM user credentials on any AWS storage as advised by AWS here.

after answered:

I did not mention the launching instance permission of "PowerUserAccess" (vs. "AdministratorAccess") because I did not realize additional access was needed at the time the question was asked. I assumed that the IAM role was "information" attached to the launch. But it really is more than that. It is a granting of permission.

Steffen Opel
  • 5,560
  • 35
  • 55
Skaperen
  • 1,064
  • 2
  • 11
  • 21

2 Answers2

24

Update

Mike Pope has published a nice article about Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission) on the AWS Security Blog, which explains the subject matter from an AWS point of view.


Initial Answer

Skaperen's answer is partially correct (+1), but slightly imprecise/misleading as follows (the explanation seems a bit too complex for a comment, hence this separate answer):

To launch an EC2 instance with an IAM role requires administrative access to the IAM facility.

This is correct as such and points towards the underlying problem, but the required administrative permissions are rather limited, so the following conclusion ...

Because IAM roles grant permissions, there is clearly a security issue to be addressed. You would not want IAM roles being a means to allow permission escalation.

... is a bit misleading, insofar the potential security issue can be properly addressed. The subject matter is addressed in Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources:

You can use IAM roles to manage credentials for applications that run on Amazon EC2 instances. When you use roles, you don't have to distribute AWS credentials to Amazon EC2 instances. Instead, you can create a role with the permissions that applications will need when they run on Amazon EC2 and make calls to other AWS resources. When developers launch an Amazon EC2 instance, they can specify the role you created to associate with the instance. Applications that run on the instance can then use the role credentials to sign requests.

Now, within the use case at hand the mentioned developers [that] launch an Amazon EC2 instance are in fact EC2 instances themselves, which appears to yield the catch 22 security issue Skaperen outlined. That's not really the case though as illustrated by the sample policy in section Permissions Required for Using Roles with Amazon EC2 :

{
   "Version": "2012-10-17",
   "Statement": [{
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:ListInstanceProfiles",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"ec2:*",
      "Resource":"*"
    }]
}

So iam:PassRole is in fact the only IAM permission required, and while technically of administrative nature, this isn't that far reaching - of course, the sample policy above would still allow to escalate permissions by means of listing and in turn passing any available role, but this can be prevented by specifying only those roles that are desired/safe to pass for the use case at hand - this is outlined in section Restricting Which Roles Can Be Passed to Amazon EC2 Instances (Using PassRole):

You can use the PassRole permission to prevent users from passing a role to Amazon EC2 that has more permissions than the user has already been granted, and then running applications under the elevated privileges for that role. In the role policy, allow the PassRole action and specify a resource (such as arn:aws:iam::111122223333:role/ec2Roles/*) to indicate that only a specific role or set of roles can be passed to an Amazon EC2 instance.

The respective sample policy illustrates exactly matches the use case at hand, i.e. grants permission to launch an instance with a role by using the Amazon EC2 API:

{
  "Version": "2012-10-17",
  "Statement": [{
      "Effect":"Allow",
      "Action":"ec2:RunInstances",
      "Resource":"*"
    },
    {
      "Effect":"Allow",
      "Action":"iam:PassRole",
      "Resource":"arn:aws:iam::123456789012:role/Get-pics"
    }]
}
Steffen Opel
  • 5,560
  • 35
  • 55
  • Thanks for the info about iam:PassRole. That is more detail than I had learned before, it does show lots more than can be done by configuring the permissions like this. – Skaperen Oct 25 '13 at 03:43
1

To launch an EC2 instance with an IAM role requires administrative access to the IAM facility. This applies even if the new instance is to have exactly the same role as the instance doing the launching. The instance I was launching from had "PowerUserAccess" permission, which allowed launching an instance, but not IAM role access. Once I advanced the permission in the launching instance to "AdministratorAccess" then it worked.

Because IAM roles grant permissions, there is clearly a security issue to be addressed. You would not want IAM roles being a means to allow permission escalation. But this also means in order to grant any IAM role, the launching instance must have "AdministratorAccess" or be using user access/secret keys (with such permission) from within the instance (not recommended), which would allow granting any IAM role.

Being able to launch an instance with the same permission (same IAM role) as held by the instance doing the launching would be useful, but EC2 or IAM either do no have this level of granularity, or do not have the means to securely verify this.

Skaperen
  • 1,064
  • 2
  • 11
  • 21
  • 1
    Your analyzed/described the underlying issue correctly (+1), but your conclusions are slightly imprecise/misleading - I've added a [separate answer](http://serverfault.com/a/548083/10305) to properly explain how the potential security issue is addressed by IAM. – Steffen Opel Oct 23 '13 at 15:22