- Policy Document can’t exceed 6144 char long.
- One IAM Role at most can be bound to 10 IAM policies.
ec2:CreateLaunchTemplateas a condition key can only be used inec2:RunInstances,ec2:CreateFleet,ec2:RequestSpotFleetand:- In the request body of the three APIs above, the launch template must be referred via launch template name.
- E.g. if
ec2:RunInstancesis called with a launch template referred with ARN/launch template ID, usingec2:CreateLaunchTemplateNameas a condition key won’t let the policy pass.
- When we sync ASGs, we are effectively calling (some calls were made in AWS, not really explicitly called from our code):
CreateLaunchTemplate→ModifyLaunchTemplate→CreateLaunchTemplateVersion→CreateTags→CreateOrUpdateTags→RunInstances→UpdateAutoScalingGroup
- When we launch a host in the ASG, we call (some calls were made in AWS, not really explicitly called from our code):
CreateLaunchTemplate→RunInstances→CreateGrantx3 (not sure why there is aCreateLaunchTemplatecall.)
Related: