Skip to content
Latchkey

Terraform "creating ... AccessDenied / UnauthorizedOperation" in CI

The credentials are valid but the role is not allowed to perform the create action. AWS returns UnauthorizedOperation for EC2-style APIs or AccessDenied with "not authorized to perform" for IAM-style APIs, naming the exact action that was denied.

What this error means

apply fails while creating a resource with "UnauthorizedOperation" or "AccessDenied: User ... is not authorized to perform: <action>" naming the API call.

Terraform
Error: creating EC2 Instance: operation error EC2: RunInstances,
https response error StatusCode: 403, UnauthorizedOperation: You are not
authorized to perform this operation.

Common causes

The role policy omits the create action

The runner role can authenticate and read but the IAM policy does not grant the specific action the apply needs.

A permission boundary or SCP blocks the action

An organization SCP or a permission boundary denies the action regardless of the role policy, so the create is rejected.

How to fix it

Grant the denied action

  1. Read the action named after "is not authorized to perform" or the API in UnauthorizedOperation.
  2. Add that action (scoped to the right resources) to the role policy.
  3. Re-run apply with the assumed role.
IAM policy
{
  "Effect": "Allow",
  "Action": ["ec2:RunInstances", "ec2:CreateTags"],
  "Resource": "*"
}

Check boundaries and SCPs for a persistent denial

If the role policy already allows the action, an explicit deny in an SCP or permission boundary is overriding it; adjust those rather than the role policy.

How to prevent it

  • Scope the runner role to exactly the actions your stack creates.
  • Account for SCPs and permission boundaries when an allow does not take effect.
  • Verify the assumed identity in CI before granting more permissions.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →