What permissions in IAM do i need to start EC2 instances with chef knife?

amazon-ec2 chef

Q1: I am trying to create user in IAM AWS console that has restricted permissions only to start new instances using knife ec2 method. Currently only full access with policy "Amazon EC2 Full access" works. Creating user and granting start/stop instances and describe images does not work.

Q2: How i can debug this 

ERROR: Fog::Compute::AWS::Error: UnauthorizedOperation => You are not authorized to perform this operation.

and trace down which exactly permission do i need. (-V -V -V didnt work)


Q1: I had to debug knife-ec2 gem in order to find out the minimal IAM permissions required to start an EC2 instance. Here is the minimal policy:

{
  "Statement": [
    {
      "Sid": "Stmt123",
      "Action": [
        "ec2:RunInstances",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeImages",
        "ec2:CreateTags",
        "ec2:DescribeTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

Please note the Sid should be unique.

Q2: My knowledge of Ruby is quite limited so possibly there is not convenient way for debugging. Personally I used binding.pry as a debugger. Please refer to the following article for more info.


You will need to allow RunInstances.

Related

Is it possible to change the mysql welcome message?
Nginx not logging PHP errors
BUG CONFIRMED: No performance data for VMXNET3 in ESXi 6.0?
windows server 2012 r2 - activation grace period?
Redirect everything but .well-known in NGINX (Let's Encrypt)
replace controller, add second controller, or use expander?
How well will ntpd work when the latency is highly variable?
vCPU performance between 1 or 2 vCPU's
Why is ethtool not showing me all the properties for a NIC?
Able to connect by SSH, but not x2go [closed]
Is "NameVirtualHost" necessary?
Have new files inherit their folder's extended ACLs