Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation

Question

I am trying to lunch EC2 instance by using Terraform and I am getting the following error:

Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation.

I have applied AdministratorAccess policy to my IAM account so I guess there should not be IAM restriction issue.

Also I have MFA enabled for my account, but I am using STS token and the API calls are being accepted from Amazon so this should not be the issue as well.

The Terraform code that I am using is so simple:

provider "aws"{
    region="us-east-1"
}
resource "aws_instance" "web" {
  ami           = "ami-00d4e9ff62bc40e03"
  instance_type = "t2.micro"
  tags = {
    Name = "HelloWorld"
  }
}

Please could you assist me as I tired so many things, but I didn't manage to solve the issue. Thanks ahead in time!

Answer 1

You can try to enable debugging when running the template so you can get a better idea in which permission piece is missing

TF_LOG=DEBUG terraform apply

Answer 2

You're got this error too, I fixed the same by recreating the user in AWS IAM console and then access/secret key. Why that happened is mistakenly I uploaded the tfvars file having access key and secret key to my github repo which was identified by AWS and then it restricted access over that particular IAM user. hats of to AWS for this micro level monitoring and security standard following.

Answer 3

Goto the user you have created for terraform from iamadmin then check the Policies . I have found that "AWSCompromisedKeyQuarantineV2" policy was Attached directly . The description of the policy is :

Policy ARN arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2 Description Denies access to certain actions, applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly. Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event.

Check open issues in aws notification, It will show you Risk IAM quarantine

Your AWS Account may be compromised! We have opened a Support Case with more details. Please visit the AWS Support Center https://aws.amazon.com/support to review the case we've opened for you and take action immediately.

Answer 4

Maybe the reason is:

• This is a new AWS account and the activation process haven't finished yet.
• Your AWS keys don't have enough permissions to launch EC2 instances.

Answer 5

Please use the STS service to decode the authorization token that you get with your response. It will state the exact action you don't have permission to perform.

This is only the first step, you can read more on this from this documentation:

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/

Answer 6

For me the issue was trying to create a resource in a region forbidden by my organization's Service Control Policy. The user credentials were fine.

Answer 7

I got this error because I was accessing a wrong profile in my AWS config file.

[default]
aws_access_key_id = AKIA........
aws_secret_access_key = JFV............

[org_1]
aws_access_key_id = AKIA............
aws_secret_access_key = EVg.................

This happened because I was trying to create a resource using credentials in the default profile I didn't have to create an EC2 instance.

This was however solved by changing the configuration to point to the profile org_1 I intended to use

Therefore, If your AWS config file contains more than one profile, reference the correct profile in your terraform file. For example;

provider "aws" {
profile = "org_1"
region  = "us-west-..."
}

Answer 8

Please go to your AWS console to see if you set the permissions boundary on this user. If yes, you can try to remove all of them.