Packer amazon-ebs "UnauthorizedOperation" IAM error in CI
The credentials are valid, but the IAM principal is not allowed to perform an EC2 action the builder requires. AWS returns UnauthorizedOperation and names the action that was denied.
What this error means
packer build fails with "UnauthorizedOperation: You are not authorized to perform this operation" for an action like RunInstances, CreateImage, or CreateTags.
Error: Error launching source instance: UnauthorizedOperation: You are not
authorized to perform this operation. Encoded authorization failure message: ...
status code: 403, request id: ...Common causes
The build role lacks required EC2 permissions
The amazon-ebs builder needs RunInstances, CreateImage, CreateTags, and related actions. A missing action returns UnauthorizedOperation.
A resource or condition constraint denies the action
A policy condition (region, tag, VPC) narrows the permission so the specific call is denied.
How to fix it
Grant the builder the EC2 actions it needs
- Decode the encoded authorization message to see the denied action.
- Add that action to the build role policy.
- Re-run the build to confirm the permission resolves.
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances", "ec2:CreateImage", "ec2:CreateTags",
"ec2:DescribeImages", "ec2:TerminateInstances", "ec2:StopInstances"
],
"Resource": "*"
}Relax an over-tight policy condition
If a condition on region or tags blocks the call, widen it to match what the builder actually does.
How to prevent it
- Start from the documented Packer minimum IAM policy for amazon-ebs.
- Decode authorization messages to find the exact denied action.
- Scope policies by resource, not by removing actions Packer needs.