Docker Community Forums

Share and learn in the Docker community.

AWS returned an error: unauthorized operation


(Pierredavidbelanger) #1

Where I try to create a node cluster from Docker Cloud, for the AWS provider, I always get this error message:

AWS returned an error: unauthorized operation. Please check that the AWS credentials you have provided have enough permissions (AWS request_id: 1cf7f1ae-c757-4858-990d-286ce9c4d0d8)

Something is obviously setup correctly since each of my try have created a new EC2 KeyPair (so the ImportKeyPair call is working) … but the RunInstances fails with the above message.

I activated CloudTrail to get more insight about the problem.

Here is a stripped down copy-paste of the CloudTrail event:

    "eventVersion": "1.05",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "*****",
        "arn": "*****",
        "accountId": "*****",
        "accessKeyId": "*****",
        "sessionContext": {
            "attributes": {
                "mfaAuthenticated": "false",
                "creationDate": "2017-06-13T18:13:42Z"
            "sessionIssuer": {
                "type": "Role",
                "principalId": "*****",
                "arn": "*****/dockercloud-role",
                "accountId": "*****",
                "userName": "dockercloud-role"
    "eventTime": "2017-06-13T18:13:43Z",
    "eventSource": "",
    "eventName": "RunInstances",
    "awsRegion": "us-east-2",
    "sourceIPAddress": "",
    "userAgent": "Boto/2.45.0 Python/2.7.12 Linux/4.4.0-75-generic",
    "errorCode": "Client.AuthFailure",
    "errorMessage": "Not authorized for images: [ami-d54f6bb0]",
    "requestParameters": {
        "instancesSet": {
            "items": [
                    "imageId": "ami-d54f6bb0",
                    "minCount": 1,
                    "maxCount": 1,
                    "keyName": "dockercloud-*****"
        "userData": "*****",
        "instanceType": "t2.nano",
        "blockDeviceMapping": {
            "items": [
                    "deviceName": "/dev/sdb",
                    "ebs": {
                        "volumeSize": 60,
                        "deleteOnTermination": true,
                        "volumeType": "gp2"
        "monitoring": {
            "enabled": false
        "subnetId": "subnet-*****",
        "disableApiTermination": false
    "responseElements": null,
    "requestID": "*****",
    "eventID": "*****",
    "eventType": "AwsApiCall",
    "recipientAccountId": "*****"

As you can see, DockerCloud seems to request an AMI I do not have access (at least in us-east-2). Indeed, a quick search in the AMI section, I cant find the requested AMI.

I wonder if there is something I can do to workaround this problem ?