AWS associate-iam-instance-profile function, what IAM role is required for the instance?

Question

I am currently trying to assign an IAM role to one of my instances via AWS CLI. The CLI is running on a linux instance that currently has Admin privileges for EC2 (AmazonEC2FullAccess policy).

I am trying to run the following command:

aws ec2 associate-iam-instance-profile --instance-id i-0xxxxxxxxxxx4 --iam-instance-profile Name=AmazonSSMRoleForInstancesQuickSetup

But I get the following error:

An error occurred (UnauthorizedOperation) when calling the AssociateIamInstanceProfile operation: You are not authorized to perform this operation. Encoded authorization failure message: <hash>

I am struggling to find what policy is required to allow this action from my AWS CLI instance. I even tried giving it the nuclear IAMFullAccess policy but I still got permission denied.

I've been trying to google it for a while now but I wasn't able to solve this problem by myself, please help.

Could you please tell me what policy is required in order to allow my instance to run aws ec2 associate-iam-instance-profile ?

Additionally, is there a quick/easy way to find out what permissions are required to use certain aws cli functions?

Answer 1

Thanks to the articles posted by @luk2302 I was able to solve this issue. I hope that it will help at least one person in the future!

I was able to solve it by adding an in-line policy to my machine's role via IAM. I am refering to the role attached to the machine I run AWS Cli on.

The in-line policy json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::00000000000:role/AmazonSSMRoleForInstancesQuickSetup"
        }
    ]
}

This in-line policy allowed me to assign the AmazonSSMRoleForInstancesQuickSetup role (and only this one) to the instances I create via terraform.