Updated: Mar 13
Sometimes, we want to know if we have the necessary permissions to execute a certain command, but we don’t need to execute it. And, let’s say, for some reason, we can’t access IAM and check our permissions. For this, we have --dry-run, a parameter that applies to some commands we can use in our AWS CLI.
Suppose we want to know if our user has the necessary permissions to run instances. We have a test user, teratip.
A correct example of run-instances would be something like this:
aws ec2 run-instances --image-id ami-02edf5731752693cc --instance-type t2.micro
But we don't want to run this, because if we have the correct permissions the instance will be created, and our billing will be affected. So let’s add --dry run to the command and see what happens
aws ec2 run-instances --dry-run --image-id ami-02edf5731752693cc --instance-type t2.micro
This message indicates that an error occurred when calling the RunInstances operation and the request would have been successful but we have specified the --dry-run flag. This is the correct behavior when we have the proper permissions for the operation.
Now, using a user that does have access to IAM, let’s check the policy assigned to the Teratip user:
As we can see, the Teratip user has the correct permissions to execute the ec2 run-instances command.
Now, let’s do a test, and remove the assigned policy from the user, and see what happens when we execute the command:
As we can see, then the operation is executed with --dry-run, and we don’t have the necessary permissions, we get a long error like this.
This is a great way to test our API calls without affecting your billing.
Rodrigo González
DevOps Engineer
Teracloud
#Teracloud #TeraTips #aws #awslatam #DevOps #dryrun #EC2 #AWSCLI #learmore #cloudcomputing
Follow us on our social networks for more TeraTips