Update
Mike Pope has published a nice article about Granting Permission to Launch EC2 Instances with IAM Roles (PassRole Permission) on the AWS Security Blog, which explains the subject matter from an AWS point of view.
Initial Answer
Skaperen's answer is partially correct (+1), but slightly imprecise/misleading as follows (the explanation seems a bit too complex for a comment, hence this separate answer):
To launch an EC2 instance with an IAM role requires administrative access to the IAM facility.
This is correct as such and points towards the underlying problem, but the required administrative permissions are rather limited, so the following conclusion ...
Because IAM roles grant permissions, there is clearly a security issue to be addressed. You would not want IAM roles being a means to allow permission escalation.
... is a bit misleading, insofar the potential security issue can be properly addressed. The subject matter is addressed in Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources:
You can use IAM roles to manage credentials for applications that run
on Amazon EC2 instances. When you use roles, you don't have to
distribute AWS credentials to Amazon EC2 instances. Instead, you can
create a role with the permissions that applications will need when
they run on Amazon EC2 and make calls to other AWS resources. When
developers launch an Amazon EC2 instance, they can specify the role
you created to associate with the instance. Applications that run on
the instance can then use the role credentials to sign requests.
Now, within the use case at hand the mentioned developers [that] launch an Amazon EC2 instance are in fact EC2 instances themselves, which appears to yield the catch 22 security issue Skaperen outlined. That's not really the case though as illustrated by the sample policy in section Permissions Required for Using Roles with Amazon EC2 :
{
"Version": "2012-10-17",
"Statement": [{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:ListInstanceProfiles",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"ec2:*",
"Resource":"*"
}]
}
So iam:PassRole is in fact the only IAM permission required, and while technically of administrative nature, this isn't that far reaching - of course, the sample policy above would still allow to escalate permissions by means of listing and in turn passing any available role, but this can be prevented by specifying only those roles that are desired/safe to pass for the use case at hand - this is outlined in section Restricting Which Roles Can Be Passed to Amazon EC2 Instances (Using PassRole):
You can use the PassRole permission to prevent users from passing a
role to Amazon EC2 that has more permissions than the user has already
been granted, and then running applications under the elevated
privileges for that role. In the role policy, allow the PassRole
action and specify a resource (such as
arn:aws:iam::111122223333:role/ec2Roles/*) to indicate that only a
specific role or set of roles can be passed to an Amazon EC2 instance.
The respective sample policy illustrates exactly matches the use case at hand, i.e. grants permission to launch an instance with a role by using the Amazon EC2 API:
{
"Version": "2012-10-17",
"Statement": [{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::123456789012:role/Get-pics"
}]
}
After taking a look at this answer to Using environment properties with files in elastic beanstalk config files I added the following section to the .ebextensions/01_files.config
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Access:
type: S3
roleName: aws-elasticbeanstalk-ec2-role
buckets: dev-config
and updated the s3 url to include the bucket name in the host, so the final file looked like this:
"/usr/share/tomcat7/lib/local.properties" :
mode: "000777"
owner: ec2-user
group: ec2-user
source: https://dev-config.s3.amazonaws.com/local.properties
Resources:
AWSEBAutoScalingGroup:
Metadata:
AWS::CloudFormation::Authentication:
S3Access:
type: S3
roleName: aws-elasticbeanstalk-ec2-role
buckets: dev-config
This enabled the elastic beanstalk ec2 instance to use the IAM role associated with it to access the s3 bucket containing the files.
PS: For this configuration to work, make sure that you've granted access to the S3 bucket in question to the aws-elasticbeanstalk-ec2-role principal. You can get the ARN from IAM console.
Best Answer
After many different approaches, it turned out that limiting my policy for a single queue was causing all the problems. I assumed that when policy applies to single queue and you do ListTopics, then you will get just the topic you have access to. However, my SNS had several other topics and most probably their existence in ListTopics result was considered a violation of policy. When I replaced particular topic name with '*' and saved the policy, then immidiatelly (no need for expiration of credentials or EC2 instance restarts) it started working.