Skip to content

Instantly share code, notes, and snippets.

@arianvp

arianvp/README.md

Last active June 4, 2024 01:48
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save arianvp/643f6862dfebda243cac9de8f0bd8492 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save arianvp/643f6862dfebda243cac9de8f0bd8492 to your computer and use it in GitHub Desktop.
Download ZIP
An error occurred (AccessDenied) when calling the StartInstanceRefresh operation: You are not authorized to use launch template:
Raw
README.md

An error occurred (AccessDenied) when calling the StartInstanceRefresh operation: You are not authorized to use launch template:

You came here because you Googled the above error and got zero hits. You will now get a hit!

Problem

You have an error like:

An error occurred (AccessDenied) when calling the StartInstanceRefresh operation: You are not authorized to use launch template:

or

 You are not authorized to use launch template:

Solution

Make sure that your IAM policy has all the permissions to use the Launch Template. If your Launch Template has a TagSpecification you need ec2:CreateTags If your Launch Template has an InstanceProfile you need iam:PassRole

NOTE: You can't use a iam:ResourceTag condition to limit iam:PassRole to roles with a specific tag. You need to limit it by ARN instead. If you know beforehand that the IAM Role you're using will not change between Launch Template Versions hardcode the ARN to the specific ARN:

        {
            "Action": "iam:PassRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/my-role",
            "Sid": "LaunchTemplateInstanceProfile"
        }

Example policy

{
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeInstanceRefreshes",
                "autoscaling:DescribeAutoScalingGroups"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": [
                "autoscaling:StartInstanceRefresh",
                "autoscaling:RollbackInstanceRefresh",
                "autoscaling:CancelInstanceRefresh"
            ],
            "Condition": {
                "StringEquals": {
                    "autoscaling:ResourceTag/managed-by-me": "true"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "InstanceRefresh"
        },
        {
            "Action": "ec2:RunInstances",
            "Effect": "Allow",
            "Resource": "*",
            "Sid": ""
        },
        {
            "Action": "ec2:CreateTags",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:*:*:*/*",
            "Sid": "LaunchTemplateTags"
        },
        {
            "Action": "iam:PassRole",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "ec2.amazonaws.com"
                }
            },
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/*",
            "Sid": "LaunchTemplateInstanceProfile"
        }
    ],
    "Version": "2012-10-17"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment