AuthFailure: Not authorized for images: [ami-2b9d6c52]

[angystardust]

I'm having this issue during the provisioning on AWS in eu-west-1 region:

TASK [manage_ec2_instances : Create EC2 instances] **************************************************************************************************************************
failed: [localhost] (item=[{u'username': u'mmouse', u'name': u'Mickey Mouse', u'email': u'mmouse@disneyland.com'}, {u'type': u'rhel7-tower', u'name': u'ansible'}]) => {"changed": false, "item": [{"email": "mmouse@disneyland.com", "name": "Mickey Mouse", "username": "mmouse"}, {"name": "ansible", "type": "rhel7-tower"}], "msg": "Instance creation failed => AuthFailure: Not authorized for images: [ami-2b9d6c52]"}
failed: [localhost] (item=[{u'username': u'mmouse', u'name': u'Mickey Mouse', u'email': u'mmouse@disneyland.com'}, {u'type': u'rhel7', u'name': u'node1'}]) => {"changed": false, "item": [{"email": "mmouse@disneyland.com", "name": "Mickey Mouse", "username": "mmouse"}, {"name": "node1", "type": "rhel7"}], "msg": "Instance creation failed => AuthFailure: Not authorized for images: [ami-2b9d6c52]"}
failed: [localhost] (item=[{u'username': u'mmouse', u'name': u'Mickey Mouse', u'email': u'mmouse@disneyland.com'}, {u'type': u'rhel7', u'name': u'node2'}]) => {"changed": false, "item": [{"email": "mmouse@disneyland.com", "name": "Mickey Mouse", "username": "mmouse"}, {"name": "node2", "type": "rhel7"}], "msg": "Instance creation failed => AuthFailure: Not authorized for images: [ami-2b9d6c52]"}
failed: [localhost] (item=[{u'username': u'mmouse', u'name': u'Mickey Mouse', u'email': u'mmouse@disneyland.com'}, {u'type': u'rhel7', u'name': u'node3'}]) => {"changed": false, "item": [{"email": "mmouse@disneyland.com", "name": "Mickey Mouse", "username": "mmouse"}, {"name": "node3", "type": "rhel7"}], "msg": "Instance creation failed => AuthFailure: Not authorized for images: [ami-2b9d6c52]"}

Strangely enough, if I deploy the AMI using the AWS web-gui, i cannot see the same permission issue.

[dfederlein]

If it works from the UI and doesn't from CLI launch, this feels like the wrong credentials are being sourced on the command line.

Do you have conflicting credentials in a ~/.boto file than what is used in the web UI (or other source?)

[angystardust]

Hi @dfederlein thanks for your reply. Unfortunately it seems a problem with the AMI since I can successfully deploy a centOS ami in eu-west-1 (ami-a625b8df) without issue at all. At the same time, trying to mimic what lightbulb is doing and deploying the lightbulb ami from the aws-cli, break up with the same error:

$ aws --region eu-west-1 --profile my-aws ec2 run-instances --image-id ami-2b9d6c52 --count 1 --instance-type t2.micro  --key-name lightbulb --subnet-id subnet-a857e5e1

An error occurred (AuthFailure) when calling the RunInstances operation: Not authorized for images: [ami-2b9d6c52]

P.s: my Access key ID belongs to an "AdministratorAccess" user.

[dfederlein]

AMI image names don't get shared across availability zones, to my knowledge. Is there a list for that CentOS AMI name in the AZ you want to deploy to?

[angystardust]

Yes, the list of CentOS AMI is available from here: https://wiki.centos.org/Cloud/AWS

[dfederlein]

Ok in your reply you said this: Unfortunately it seems a problem with the AMI since I can successfully deploy a centOS ami in eu-west-1 (ami-a625b8df)

But then the command is this:

aws --region eu-west-1 --profile my-aws ec2 run-instances --image-id ami-2b9d6c52

That looks like a mismatch to me, is the second one in that region?

[angystardust]

sorry for not being so clear but I meant to show you the error while trying to deploy the lightbulb AMI in the eu-west-1 region (ami-2b9d6c52) rather than the successfully creation of the CentOS instance. By the way, today I've tried to deploy lightbulb in us-east-1 and everything worked as expected. So, I suppose there's an issue with the AMI on the eu-west-1 region.

[dfederlein]

Odd. Wonder if the AMI store was having an issue or something. I've been able to launch that AMI in us-west-1 and the corresponding AMI in us-west-2.

Not sure what else to do for this, but in the future we're going to be parting the provisioner out to a role in galaxy, so as to easily substitute different provisioners on this. We'll be doing some reworking of the AWS stuff too. Not sure on the timeline.

Thanks. I'll close this one out for now.