placement group related restrictions in AWS

We’re having a problem launching instances (e.g., c3.2xlarge) for our virtual HPC.  Any attempt  to use AWS placement group immediately
failed with :

"Action ec2:RunInstances failed because USER-A@example.com has no permissions to  execute on arn:aws:ec2:us-east-1:999999999:placement-group/@sc-test-med-cluster-ae2" resource." error message.

What restrictions/policy we need to disable or enable?

 We have NO issue at all when trying the same operation with  another AWS account with FULL Administrators privileges  

 The failed instance types seem to match up with the placement group-compatible types here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html.
andrey_chevronAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
pls see
If an IAM user wants to launch an EC2 instance, you need to grant the EC2 RunInstances permission to that user..
the user who launches the EC2 instance must also have the IAM PassRole permission. Not only that, but the user might need PassRole permission to associate a specific role with the EC2 instance. ..
there is a policy example tied to the user to have the a/m roles and resource authorised to run under such roles from the user @ http://blogs.aws.amazon.com/security/post/Tx3M0IFB5XBOCQX/Granting-Permission-to-Launch-EC2-Instances-with-IAM-Roles-PassRole-Permission

Besides this see
you can’t simply set the Action to "ec2:* and also use a resource other than "*". Instead, to grant permission to a specific resource, the policy must explicitly list the actions that are being granted or denied, and as noted, only some EC2 actions let you specify a resource
https://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andrey_chevronAuthor Commented:
We found starcluster http://star.mit.edu/cluster/docs/latest/overview.html does not like EC2  limitation " Creation only in one selected subnet " - despite we are creating instances only in one subnet !!!
0
btanExec ConsultantCommented:
thanks for sharing - I know of AWS cloudformation templates as well but eventually they have limitation as well though not sure if that is the same case as stated with starcluster - but it seems to applied as long eventually it is still deployed as EC2 http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AWS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.