#12160 Not able to launch aws ec2 instances
Closed: Fixed with Explanation a month ago by kevin. Opened 3 months ago by svashisht.

Describe what you would like us to do:


I am not able to launch ec2 instances with AMI ami-09cb5e508831f32a9 in us-west-2 region.

I am getting this error:

You are not authorized to perform this operation. User: arn:aws:sts::125523088429:assumed-role/aws-openscanhub/svashisht is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-west-2::image/ami-09cb5e508831f32a9 because no identity-based policy allows the ec2:RunInstances action.

When do you need this to be done by? (YYYY/MM/DD)


asap


Metadata Update from @zlopez:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: Needs investigation, aws, low-gain

3 months ago

I am able to spin up ami-09b22dfe6916e9ee0 however.

As "FAS:praiskup", I'm not able to find any of the two images. Are those intentionally private?

They are community AMIs from CentOS. You can see them at https://www.centos.org/download/aws-images/.

Ah, I can then at least confirm that ami-09cb5e508831f32a9 works fine for me.

Odd. Nothing should have changed here. You were able to launch instances ok before... did anything change on your side?

Os is the first time you tried to spin up these amis?

I have been able to spin up all AMIs without any problem. This is the first time I am seeing this issue.

And this is still happening with that one ami only and only with openscanhub role?

I wonder if there's something off about it on the centos side...

Looking at that ami I do see:

Deprecation time: Fri Aug 28 2026 14:28:07 GMT-0700 (Pacific Daylight Time)

But I checked a few others and they all have the same thing as well. ;(

Please close it, it was fixed by switching to the latest AMI. Thank you!

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

2 months ago

I am again getting:

You are not authorized to perform this operation. User: arn:aws:sts::125523088429:assumed-role/aws-openscanhub/svashisht is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-west-2::image/ami-0a46397ea7986c9c0 because no identity-based policy allows the ec2:RunInstances action. Encoded authorization failure message: wuvhyxf2XT56Ld1OAPwhTgBQHkT6uJtJBMIU5fdLj1VFZrjfvC-vhk4nKfDSPYspCZhgTPI5-GwWe9wByZeI-lUMCDdjTWENC4ZntyDIld4IdxavlHjPjBPy3iuRf_lUPMKNhZzNZcyqd4BmZ9XEe6y1sMFQMjmOVsUY9Bqru7TMDNuYfuhiSkPzu3WnItevYpoMEYRL27jlvyuIZ5c9KuhtgGRvwv-zQikvdqkWJNk97V_NiacOuhdq91jgu9gOq11f892Fh6Y5yBKLCzgL2mqOmwUMm-GEdeiwvHCWk2ytr333Dsf-lmf8UnPmn2K-qzDo3K_rw5c15m1VEpsAg_8-Ag3VeiinEAP3aTYlTzkxU1vprhKaOGzbYP3Ct72JbNxMiVdQg20K5C6T9yFgTnDJ01Ba14hExlVIrVRrslC74HRqH-YIBECOYjTGRCB8CcfNhOf5T_EQKCHVqM2AVN8KQOzz6Lgx739hrXNsq22TWTuyczOgXeiAVAsBar23fi5hQ4ARNqLo3p6RVKmMZ1SLPBIiW5TgBI38n9MtSpzlNx37NR2BSOUZKlmBGPPCAfrnCnUiGdWXUvGKETNQWEc9EZ4-cfUbi8Wlj9UHUjHr9ElhfyHA9cAZtFtXZZwWOBl1yqoqbD5qiAAI_to5YltiwdYd2U4IuFyv_N_paWmSg4Bowf4icKJbGbPXqzPQot6uS3mc8YvNPv7hYgvRruIiylsTkvCdjg

with ami ami-0a46397ea7986c9c0 in us-west-2 zone.

Metadata Update from @svashisht:
- Issue status updated to: Open (was: Closed)

a month ago

Metadata Update from @svashisht:
- Issue private status set to: False (was: True)

a month ago

Packit users are affected by this issue. I am marking this issue as public to keep other teams in sync.

@svashisht : the image you list is public so can you confirm that you can still deploy it yourself ? if that works, it's not a permission issue on the image but rather something to look at the iam policy and then aws logs

@svashisht : the image you list is public so can you confirm that you can still deploy it yourself ? if that works, it's not a permission issue on the image but rather something to look at the iam policy and then aws logs

I am not able to deploy it manually through AWS Web UI. I get the same error as the CLI.

@svashisht : the image you list is public so can you confirm that you can still deploy it yourself ? if that works, it's not a permission issue on the image but rather something to look at the iam policy and then aws logs

I am not able to deploy it manually through AWS Web UI. I get the same error as the CLI.

as external user ? so not coming through FAS, but as external (public) user. Wondering if something is missing some policies when connected through aws/iam , while working for external users (images are public)

@svashisht : the image you list is public so can you confirm that you can still deploy it yourself ? if that works, it's not a permission issue on the image but rather something to look at the iam policy and then aws logs

I am not able to deploy it manually through AWS Web UI. I get the same error as the CLI.

as external user ? so not coming through FAS, but as external (public) user. Wondering if something is missing some policies when connected through aws/iam , while working for external users (images are public)

I am able to launch AMI ami-0a46397ea7986c9c0 through my Red Hat account, so this is an issue with FAS/AWS account permissions.

@kevin Could you check this one, I'm not sure what could be happening on AWS.

The problem is our aws account iam policies.

We try and restrict various groups to only be able to manage their own tagged resources.
However, in this case one group wants to use a resource tagged with another group, which is fine, but... we don't want the other group to be able to delete/modify those images, just use them.

I've added ec2:RunInstances to work with any tagged resource here for openscanhub. I am not sure if there's going to be more permissions needed however.

Can you test and see if that fixes things? if not we can iterate on perms and get them added...

Metadata Update from @kevin:
- Issue assigned to kevin

a month ago

Can you test and see if that fixes things? if not we can iterate on perms and get them added...

It seems to be fixed now as workers are coming back again and the queue is cleaned up https://openscanhub.fedoraproject.org/task/running/

Great. Glad it was easy to fix.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

a month ago

Log in to comment on this ticket.

Metadata