Skip to content
Latchkey

Packer amazon-ebs "UnauthorizedOperation" IAM error in CI

The credentials are valid, but the IAM principal is not allowed to perform an EC2 action the builder requires. AWS returns UnauthorizedOperation and names the action that was denied.

What this error means

packer build fails with "UnauthorizedOperation: You are not authorized to perform this operation" for an action like RunInstances, CreateImage, or CreateTags.

packer
Error: Error launching source instance: UnauthorizedOperation: You are not
authorized to perform this operation. Encoded authorization failure message: ...
	status code: 403, request id: ...

Common causes

The build role lacks required EC2 permissions

The amazon-ebs builder needs RunInstances, CreateImage, CreateTags, and related actions. A missing action returns UnauthorizedOperation.

A resource or condition constraint denies the action

A policy condition (region, tag, VPC) narrows the permission so the specific call is denied.

How to fix it

Grant the builder the EC2 actions it needs

  1. Decode the encoded authorization message to see the denied action.
  2. Add that action to the build role policy.
  3. Re-run the build to confirm the permission resolves.
iam-policy.json
{
  "Effect": "Allow",
  "Action": [
    "ec2:RunInstances", "ec2:CreateImage", "ec2:CreateTags",
    "ec2:DescribeImages", "ec2:TerminateInstances", "ec2:StopInstances"
  ],
  "Resource": "*"
}

Relax an over-tight policy condition

If a condition on region or tags blocks the call, widen it to match what the builder actually does.

How to prevent it

  • Start from the documented Packer minimum IAM policy for amazon-ebs.
  • Decode authorization messages to find the exact denied action.
  • Scope policies by resource, not by removing actions Packer needs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →