I want to specify GP3 as the volume type of my root EBS volume as I launch the instance. This is the command that I ran
aws ec2 run-instances \
--region us-east-2 \
--image-id ami-0e361731ae5aacece \
--instance-type c4.large \
--key-name my-key \
--block-device-mappings file://block-device-mappings.json \
--placement file://placement.json \
--monitoring file://monitoring.json \
--disable-api-termination \
--monitoring file://monitoring.json \
--instance-initiated-shutdown-behavior terminate \
--network-interfaces file://network-interfaces.json \
--iam-instance-profile file://iam-instance-profile.json \
--ebs-optimized \
--tag-specifications file://tag-specifications.json
Below is the content of my block-device-mappings.json
[
{
"DeviceName": "/dev/sda1",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
This documentation was used when creating the above JSON
But when I run the above command, it fails because I am using a corporate account which does not allow creating EC2 instances with GP2 volume type. Why is GP3 not being used as the volume type although it is explicitly specified?
EDIT 1:
This is the error message that I get after I decode the encoded failure message (note that I have removed some items from the PrincipalArn object and added dummy values where necessary account id etc.)
{
"allowed": false,
"explicitDeny": true,
"matchedStatements": {
"items": [
{
"statementId": "RestrictEC2Volume",
"effect": "DENY",
"principals": {
"items": [
{
"value": "MY_ROLE_ACCESS_KEY"
}
]
},
"principalGroups": {
"items": []
},
"actions": {
"items": [
{
"value": "ec2:RunInstances"
},
{
"value": "ec2:CreateVolume"
}
]
},
"resources": {
"items": [
{
"value": "arn:aws:ec2:*:*:volume/*"
}
]
},
"conditions": {
"items": [
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "aws:PrincipalArn",
"values": {
"items": [
{
"value": "arn:aws:sts::12345678:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:sts::4567890:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::3456789:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::4567890:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::567890876:assumed-role/EMR_DefaultRole/CCSSession"
},
{
"value": "arn:aws:iam::567890876:role/EMR_DefaultRole"
},
{
"value": "arn:aws:iam::234567854:role/EMR_DefaultRole"
},
{
"value": "arn:aws:sts::234567854:assumed-role/EMR_DefaultRole/CCSSession"
},
]
}
}
]
}
}
]
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "MY_ROLE_ACCESS_KEY:INSTANCE_ID",
"arn": "arn:aws:sts::ACCT_ID:assumed-role/AWS-SSM-AgentAccess/MY_ROLE_ACCESS_KEY:INSTANCE_ID"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*",
"conditions": {
"items": [
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "volume/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "ACCT_ID"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-2b"
}
]
}
},
{
"key": "ec2:Encrypted",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:VolumeType",
"values": {
"items": [
{
"value": "gp2"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:VolumeID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "ec2:VolumeSize",
"values": {
"items": [
{
"value": "10"
}
]
}
},
{
"key": "ec2:ParentSnapshot",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2::snapshot/SNAPSHOT_ID"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "volume"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-2"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-2:ACCT_ID:volume/*"
}
]
}
}
]
}
}
}
Basically, if I understand this message correctly, I can see that it is trying to create a 10GB volume with type GP2 although I have specified 50GB volume of type GP3
CodePudding user response:
Depending on your AMI, the root drive name varies. You are using /dev/sda1, but for example, on amazon linux 2 it should be /dev/xvda:
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"VolumeSize": 50,
"DeleteOnTermination": false,
"VolumeType": "gp3"
}
}
]
If you use sda1, your root is still gp2, as you just create new, separate drive called sda1 alongside xvda.