Cannot launch cloudman despite having access key ID and secret key from AWS

[Abowcock]

I have an AWS account, EC2, S3 and IAM along with an access key ID and secret key but am unable to launch Cloudlaunch in order to run Galaxy. The error message I get is: "FAILURE
Create appliance task failed: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:iam::xxx:user/galaxy_xx is not authorized to perform: iam:GetRole on resource: role xx-genomics-virtual-lab-20-05-25t17-07-cm2-kube-role
Any suggestions please?

[almahmoud]

You need to give yourself more permissions; these are required by the boot process to get the initial VM and setup the Kubernetes cluster resources. Easiest fix would be to give the user associated with your access credentials AdministratorAccess through the IAM console (https://console.aws.amazon.com/iam/home#/users). Let us know if you encounter any other issues!

[miaeyaho]

Hi almahmoud,
I have the same problem with 'GetRole operation'.
Can you please explain more detail on how to give the user with access credential explained by you? I'm a very beginner, I cann't follow the way to solve this problem. Thank you for your help in advance.

[almahmoud]

You can either give yourself AdministratorAccess through the IAM console link given above, (and here's a rough tutorial for it: https://www.sweetprocess.com/procedures/_eG30mkvYDrfAmevj78A0i6E1GZE/add-an-administrator-to-your-amazon-aws-account/ ) or create an IAM policy (
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) mimicking the following specifications would be enough if you don't want to be a full account administrator:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:GetRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:CreatePolicy",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:AddRoleToInstanceProfile"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:policy/cm2-kube-policy"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "iam:DescribeKeyPairs",
            "Resource": [
                "arn:aws:iam::*:instance-profile/*",
                "arn:aws:iam::*:role/*",
                "arn:aws:iam::*:policy/cm2-kube-policy"
            ]
        }
    ]
}

Feel free to re-open the issue if there is a problem. This seems like the access credentials used just not having enough permissions.