AWS Thinkbox Discussion Forums

[Resolved] AWS Portal Infrastructure fails to start - No identity-based policy allows the ec2:CreateTags

Deadline
#1

This issue has now been resolved and the documentation updated.

If you’ve got a new AWS account (created this year) and are using AWS Portal this may apply. This article will be updated once the issue has been corrected.
In the failing Infrastructure’s information (accessible by right clicking the Infrastructure in the Monitor) shows this error:

"You are not authorized to perform this operation. User:arn:awstiam::12312312312312:user/AWSPortal is not authorized to perform:ec2: Create Tags on resource:
arn:aws:ec2:us-west-2:123123123123:elastic-ip/* because no identity-based policy allows the ec2:CreateTags

This is caused by an issue in our AWSThinkboxAWSPortalAdminPolicy. It doesn’t include permission to create or delete tags on Elastic IP resources. Until this is corrected you’ll have to add what’s called an ‘inline policy’ to the AWSPortal IAM user you created.

To do that, go to the AWS Console. Then click on Services at the top of the AWS Console, and find the IAM section under Security, Identity and Compliance. Select Users. Then choose AWSPortal for the user you’ve created earlier.

From here choose ‘Add permissions’, and ‘Create inline policy’.

You can either use the visual editor to add the CreateTags and DeleteTags roles to the elastic-ip resources for your account, or choose JSON and paste in the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteTags",
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:elastic-ip/*"
        }
    ]
}

Then click next and give the policy a name like “AllowElasticIPTagging” and choose create policy.
With this done you should see the policy in the list.
Now attempt to start an infrastructure and it should come up successfully.

If it doesn’t please let us know using these points of contact, and include the error you’re seeing.

Keep an eye on our release notes, or cut a ticket to us to know when the update to our managed policy has been made so you can remove this inline policy. When that happens, to remove the policy

Go to the AWS Console. Then click on Services at the top of the AWS Console, and find the IAM section under Security, Identity and Compliance. Select Users. Then choose AWSPortal.

Click the box next to the policy you created, “AllowElasticIPTagging” if you followed the example exactly. Click ‘Remove’ and confirm the removal with ‘Remove Policy’.

1 Like
Privacy | Site terms | Cookie preferences