Terraform "creating ... AccessDenied / UnauthorizedOperation" in CI
The credentials are valid but the role is not allowed to perform the create action. AWS returns UnauthorizedOperation for EC2-style APIs or AccessDenied with "not authorized to perform" for IAM-style APIs, naming the exact action that was denied.
What this error means
apply fails while creating a resource with "UnauthorizedOperation" or "AccessDenied: User ... is not authorized to perform: <action>" naming the API call.
Error: creating EC2 Instance: operation error EC2: RunInstances,
https response error StatusCode: 403, UnauthorizedOperation: You are not
authorized to perform this operation.Common causes
The role policy omits the create action
The runner role can authenticate and read but the IAM policy does not grant the specific action the apply needs.
A permission boundary or SCP blocks the action
An organization SCP or a permission boundary denies the action regardless of the role policy, so the create is rejected.
How to fix it
Grant the denied action
- Read the action named after "is not authorized to perform" or the API in UnauthorizedOperation.
- Add that action (scoped to the right resources) to the role policy.
- Re-run apply with the assumed role.
{
"Effect": "Allow",
"Action": ["ec2:RunInstances", "ec2:CreateTags"],
"Resource": "*"
}Check boundaries and SCPs for a persistent denial
If the role policy already allows the action, an explicit deny in an SCP or permission boundary is overriding it; adjust those rather than the role policy.
How to prevent it
- Scope the runner role to exactly the actions your stack creates.
- Account for SCPs and permission boundaries when an allow does not take effect.
- Verify the assumed identity in CI before granting more permissions.