23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

By using AWS re:Post, you agree to the Terms of Use

Search for questions, articles, topics, users and more…

re:Post English Resources Sign in

Ask question

/ Questions / Did not have IAM permissions to process tags on AWS::EC2::Instance resource

Did not have IAM permissions to process tags

on AWS::EC2::Instance resource
Hi Everyone,

0 I am using Attribute Based Access Control (ABAC) to delegate permissions to Users to

create CloudFormation and EC2 instances from CF template.

I am getting 'Did not have IAM permissions to process tags on AWS::EC2::Instance

resource.' and 'API: ec2:RunInstances You are not authorized to perform this operation.
Encoded authorization failure message' errors while trying to create CF Stack. All

FEEDBACK
corresponding 'access-team' and 'access-project' tags are provided in the CloudFormation
Template. The CF Template and corresponding ABAC IAM Policy are attached.

However, I am able to create exact EC2 Instance manually without any issue via AWS EC2
Console case I am supplying corresponding 'access-team' and 'access-project' Tags during
EC2 Instance creation.

Could someone help me to narrow down the root of that issue and what exactly I should
change in IAM Policy to deploy CF Stack ?

TIA

Edited by: innos on Feb 19, 2021 6:19 AM

Edited by: innos on Feb 24, 2021 7:56 AM

Follow Comment

Topics

Management & Governance

Tags

AWS CloudFormation

Language

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 1/6
23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

English

innos
asked 2 years ago 1110 views

1 Answer Newest Most votes Most comments

Hi Guys,

2 My request has been resolved by AWS Support with following issue description :

==================================================
From the public docs, "When you create an EC2 instance with AWS CloudFormation
using the resource AWS::EC2::Instance, AWS CloudFormation makes two API calls:
RunInstances and CreateTags. RunInstances creates the instance and CreateTags applies
the necessary tags after the instance is created. The RunInstances request made by AWS
CloudFormation doesn't support the tags, but the API does support the tags." Please
refer to [1] for more information on the same.

So, the workaround for this issue is using "AWS::EC2::LaunchTemplate" resource for EC2
Instance and specify the required Tags on the Volume using "TagSpecification" property
in "AWS::EC2::LaunchTemplate" resource. Please refer [2][3] for more information.

We can specify the required Tags for the resources as below.

Instance:
Type: 'AWS::EC2::Instance'
Properties:
LaunchTemplate:
LaunchTemplateId: !Ref RequiredTagsLaunchTemplate
Version: 1
InstanceType: r4.xlarge
.
.
RequiredTagsLaunchTemplate:
Type: 'AWS::EC2::LaunchTemplate'
Properties:
LaunchTemplateData:
TagSpecifications:
- ResourceType: Volume
Tags:
- Key: Env
Value: Dev

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 2/6
23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

References:
[1]
https://aws.amazon.com/premiumsupport
/knowledge-center/cloudformation-ec2-
iam-runinstances/
[2]
https://docs.aws.amazon.com/AWSCloudF
ormation/latest/UserGuide/aws-resource-
ec2-launchtemplate.html
[3]
https://docs.aws.amazon.com/AWSCloudF
ormation/latest/UserGuide/aws-
properties-ec2-launchtemplate-
tagspecification.html
I hope this information will be useful for somebody.

Alex

Comment innos
answered 2 years ago

Add your answer

You are not logged in. Log in to post an answer.

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 3/6
23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

A good answer clearly answers the question and provides constructive feedback and encourages
professional growth in the question asker.

Guidelines for Answering Questions

             Preview | Formatting guide

Start writing your answer

Clear

Post answer

Relevant questions

ABAC conditional permissions

ntuple
asked 5 months ago

assign lake formation tags permissions to users

Krishna
asked a month ago

Need to restrict IAM user

AWS-User-6176623
asked 3 months ago

How to separate organisation users permissions by the access level and environments?

ACCEPTED ANSWER

kostyanius
asked a month ago

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 4/6
23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

Approach to prevent out-of-band (clickops) updates to CloudFormation created resources

mj123
asked 5 months ago

IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

steve
asked 3 months ago

How to control per user per account permissions with IAM identity center?

rePost-User-7313203
asked 2 months ago

Resolving the error "Ensure IAM policies are attached only to groups or roles"

BigD63
asked 7 months ago

Restricting user access to AWS resources within an account

AWS-User-2695166
asked 8 months ago

S3 bucket permissions to run CloudFormation from different accounts and create Lambda
Funtions.

Alexa
asked a year ago

Privacy | Site Terms | Cookie Preferences | Sitemap | Legal |

© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 5/6
23/01/2023, 20:02 Did not have IAM permissions to process tags on AWS::EC2::Instance resource | AWS re:Post

Community Guidelines

https://repost.aws/questions/QUBBuDAuqwRqmDdDO8rbLV1g 6/6