Possible to limit an EC2 key to just ec2-associate-address?

Solution 1:

This is indeed possible by means of AWS Identity and Access Management (IAM), which enables you to securely control access to AWS services and resources for your users (facilitating IAM instead of the main account credentials for everyday AWS usage is nowadays highly recommended accordingly).

Amongst several others, IAM enables the following use case:

Fine-grained access control to your AWS resources: IAM enables you to control access to AWS service APIs and to specific resources. IAM also enables you to add specific conditions to control how a user can use AWS, such as time of day, their originating IP address, or whether they are using SSL.

The respective granularity varies between the available AWS services (it tends to get increased over time), but fortunately granularity for the EC2 API is high and what you are looking for is readily available - for example, you might want to check out the recommended AWS Policy Generator, select type IAM Policy and service Amazon EC2, which will allow you to select action AssociateAddress in turn.

Consequently you should be able to achieve your goal by creating a dedicated IAM user for the task at hand, crafting an IAM policy essentially limited to AssociateAddress (maybe DisassociateAddress as well) and assigning this policy to the IAM user - e.g. the policy might look like this:

{
  "Statement": [
    {
      "Action": [
        "ec2:AssociateAddress",
        "ec2:DisassociateAddress"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}