Packer fails with UnauthorizedOperation on my office AWS, works fine on personal AWS account where i have full admin access

cloudempowered · April 17, 2020, 12:21pm

So i am getting UnauthorizedOperation: You are not authorized to perform this operation error. I am aware this is happening due to some restrictive policy, but i have checked and i have all the required policies access as per Packer documentation. Can someone point out the problem for me please. I am providing the entire script, error as well as the decoded error message. Your quick help in this regard will be highly appreciated.

Packer script

{

"variables": {

    "instance_size": "t2.micro",

    "ami_name": "ami_auto_gold_ami_poc",

    "ssh_username": "ubuntu",

    "vpc_id": "",

    "subnet_id": "",

    "security_group": "",

    "ssh_keypair": "",

    "AWS_ACCESS_KEY_ID": "******************",

    "AWS_SECRET_ACCESS_KEY": "**********************"

},

"builders": [

    {

        "type": "amazon-ebs",

        "region": "eu-west-1",

        "profile": "default",

        "access_key": "{{user `AWS_ACCESS_KEY_ID`}}",

        "secret_key": "{{user `AWS_SECRET_ACCESS_KEY`}}",

        "instance_type": "{{user `instance_size`}}",

        "ssh_username": "{{user `ssh_username`}}",

        "ssh_timeout": "20m",

        "ami_name": "{{user `ami_name`}}",

        "ami_groups": "all",

        "ssh_pty": "true",

        "vpc_id": "{{user `vpc_id`}}",

        "subnet_id": "{{user `subnet_id`}}",

        "security_group_id": "{{user `security_group`}}",

        "ssh_keypair_name": "{{user `ssh_keypair`}}",

        "ssh_private_key_file": "abc.pem",

        "source_ami": "ami-0f630a3f40b1eb0b8",

        "run_tags": {
             "Name": "Packer_POC",
             "Author": "Vikas Arora",

            "Service": "Packer_AMI",

            "Environment": "dev"

        },

        "tags": {

            "Name": "Packer_POC",

            "Author": "Vikas Arora",

            "Service": "Packer_AMI",

            "Environment": "dev"

        },

        "ami_block_device_mappings": [

              { 

                "device_name": "/dev/sda1",                 

                "volume_type": "gp2",

                "volume_size": 30,

                "iops": 150,

                "delete_on_termination": "true"

              }

            ]                           

    }

]

}

Packer Build Command

sudo packer build -var ‘vpc_id=’ -var 'subnet_id=subnet-’ -var 'security_group=sg-’ -var 'ssh_keypair=***’ packer.json

Error

==> amazon-ebs: Prevalidating AMI Name… amazon-ebs: Found Image ID: ami-0f630a3f40b1eb0b8==> amazon-ebs: Using existing SSH private key==> amazon-ebs: Launching a source AWS instance…==> amazon-ebs: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: hgkhgj6776gfgjhgkhgfhjfj909809nvhghg
==> amazon-ebs: status code: 403, request id: 5d4cef6e-ce1f-4d19-b8d1-b686ee8ecc7b
==> amazon-ebs: No volumes to clean up, skipping
Build ‘amazon-ebs’ errored: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: ghfgfstgkkn+y6868767756769jmb-mnbm
status code: 403, request id: 8768r46ghgjsgdcguy9869879

Decoded authorization failure message

{
“allowed”: false,
“explicitDeny”: true,
“matchedStatements”: {
“items”: [
{
“statementId”: “APRequireNameTag”,
“effect”: “DENY”,
“principals”: {
“items”: [
{
“value”: “AIDAJY32CKVY4QWZNV63U”
}
]
},
“principalGroups”: {
“items”:
},
“actions”: {
“items”: [
{
“value”: “ec2:RunInstances”
}
]
},
“resources”: {
“items”: [
{
“value”: “arn:aws:ec2:::instance/"
}
]
},
“conditions”: {
“items”: [
{
“key”: “aws:RequestTag/Name”,
“values”: {
“items”: [
{
“value”: “true”
}
]
}
}
]
}
},
{
“statementId”: “APRequireAuthorTag”,
“effect”: “DENY”,
“principals”: {
“items”: [
{
“value”: “AIDAJY32CKVY4QWZNV63U”
}
]
},
“principalGroups”: {
“items”: []
},
“actions”: {
“items”: [
{
“value”: “ec2:RunInstances”
}
]
},
“resources”: {
“items”: [
{
“value”: "arn:aws:ec2:::instance/"
}
]
},
“conditions”: {
“items”: [
{
“key”: “aws:RequestTag/Author”,
“values”: {
“items”: [
{
“value”: “true”
}
]
}
}
]
}
},
{
“statementId”: “APRequireServiceTag”,
“effect”: “DENY”,
“principals”: {
“items”: [
{
“value”: “AIDAJY32CKVY4QWZNV63U”
}
]
},
“principalGroups”: {
“items”: []
},
“actions”: {
“items”: [
{
“value”: “ec2:RunInstances”
}
]
},
“resources”: {
“items”: [
{
“value”: "arn:aws:ec2:::instance/"
}
]
},
“conditions”: {
“items”: [
{
“key”: “aws:RequestTag/Service”,
“values”: {
“items”: [
{
“value”: “true”
}
]
}
}
]
}
},
{
“statementId”: “APRequireEnvironmentTag”,
“effect”: “DENY”,
“principals”: {
“items”: [
{
“value”: “AIDAJY32CKVY4QWZNV63U”
}
]
},
“principalGroups”: {
“items”: []
},
“actions”: {
“items”: [
{
“value”: “ec2:RunInstances”
}
]
},
“resources”: {
“items”: [
{
“value”: "arn:aws:ec2:::instance/"
}
]
},
“conditions”: {
“items”: [
{
“key”: “aws:RequestTag/Environment”,
“values”: {
“items”: [
{
“value”: “true”
}
]
}
}
]
}
},
{
“statementId”: “APRequireEnvironmnetTagOption”,
“effect”: “DENY”,
“principals”: {
“items”: [
{
“value”: “AIDAJY32CKVY4QWZNV63U”
}
]
},
“principalGroups”: {
“items”: []
},
“actions”: {
“items”: [
{
“value”: “ec2:RunInstances”
}
]
},
“resources”: {
“items”: [
{
“value”: "arn:aws:ec2::*********:instance/"
}
]
},
“conditions”: {
“items”: [
{
“key”: “aws:RequestTag/Environment”,
“values”: {
“items”: [
{
“value”: “prod”
},
{
“value”: “qa”
},
{
“value”: “uat”
},
{
“value”: “dev”
}
]
}
}
]
}
}
]
},
“failures”: {
“items”: []
},
“context”: {
“principal”: {
“id”: “AIDAJY32CKVY4QWZNV63U”,
“name”: “terraform-arorav”,
“arn”: "arn:aws:iam:::user/terraform-arorav"
},
“action”: “ec2:RunInstances”,
“resource”: "arn:aws:ec2:eu-west-1::instance/",
“conditions”: {
“items”: [
{
“key”: “ec2:InstanceMarketType”,
“values”: {
“items”: [
{
“value”: “on-demand”
}
]
}
},
{
“key”: “aws:Resource”,
“values”: {
“items”: [
{
“value”: "instance/"
}
]
}
},
{
“key”: “aws:Account”,
“values”: {
“items”: [
{
“value”: ""
}
]
}
},
{
“key”: “ec2:AvailabilityZone”,
“values”: {
“items”: [
{
“value”: “eu-west-1b”
}
]
}
},
{
“key”: “ec2:ebsOptimized”,
“values”: {
“items”: [
{
“value”: “false”
}
]
}
},
{
“key”: “ec2:IsLaunchTemplateResource”,
“values”: {
“items”: [
{
“value”: “false”
}
]
}
},
{
“key”: “ec2:InstanceType”,
“values”: {
“items”: [
{
“value”: “t2.micro”
}
]
}
},
{
“key”: “ec2:RootDeviceType”,
“values”: {
“items”: [
{
“value”: “ebs”
}
]
}
},
{
“key”: “aws:Region”,
“values”: {
“items”: [
{
“value”: “eu-west-1”
}
]
}
},
{
“key”: “aws:Service”,
“values”: {
“items”: [
{
“value”: “ec2”
}
]
}
},
{
“key”: “ec2:InstanceID”,
“values”: {
“items”: [
{
“value”: ""
}
]
}
},
{
“key”: “aws:Type”,
“values”: {
“items”: [
{
“value”: “instance”
}
]
}
},
{
“key”: “ec2:Tenancy”,
“values”: {
“items”: [
{
“value”: “default”
}
]
}
},
{
“key”: “ec2:Region”,
“values”: {
“items”: [
{
“value”: “eu-west-1”
}
]
}
},
{
“key”: “aws:ARN”,
“values”: {
“items”: [
{
“value”: "arn:aws:ec2:eu-west-1:***:instance/”
}
]
}
}
]
}
}
}