The problem is that you don't have ec2:RunInstances permissions any more, because you added that permission together with the condition, so it overrides - it will look for an EC2 instance with that tag; seeing that you have only "ec2:DescribeInstances" on Resource:["*"];
Add two separate statements, and specify the exact resources for each:
- one for the AMI with Resource:["arn:aws:ec2:region::image/ami-*"]
- one for ec2:RunInstances with Resource:["arn:aws:ec2:region:account:instance/*"]
Example:
(taken from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5)
The following policy allows users to launch instances using only the
AMIs that have the specified tag, "department=dev", associated with
them. The users can't launch instances using other AMIs because the
Condition element of the first statement requires that users specify
an AMI that has this tag. The users also can't launch into a subnet,
as the policy does not grant permissions for the subnet and network
interface resources. They can, however, launch into EC2-Classic. The
second statement uses a wildcard to enable users to create instance
resources, and requires users to specify the key pair project_keypair
and the security group sg-1a2b3c4d. Users are still able to launch
instances without a key pair.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "dev"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*",
"arn:aws:ec2:region:account:volume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
]
}
]
}