Aws-cli: aws ec2 create-volume not creating volume

OK. I have got it working; but I still believe that there is an issue with the CLI,

The only way I could get it to work was to add the following permissions:

{ "Action": [ "*" ], "Effect": "Allow", "Resource": "*" }

Even ec2:* doesn't work. It has to be *.

The tool doesn't report any permission errors when executing the command. Nor is there any way to find out exactly what permissions are needed. Bit of a security issue here...

You will get a 'volume does not exist' error when you try to do something with a volume that actually doesn't exist, or a volume you simply don't have access to. The wait command in question uses DescribeVolumes under the hood so you need permissions for at least that.

I notice that you specify a region in your first command but not in the wait command, which could be your issue.

As I mentioned in the original post:

When I look on the web UI volumes dashboard; I cannot see the volume. I have checked in every region.

And DescribeVolumes permissions is under ec2:*, but as I also mentioned:

Even ec2:* doesn't work. It has to be *.

So; it's not that I didn't have permissions to view the volume; as I had ec2:* permissions and I had a look at every region on the web UI while logged in as root.

The problem is that the tool did not create the volume even though it reported a success and exited with a code 0.

I need to do some further investigation to work out with the missing permission was.

You mentioned you checked all the regions on the console, but I'm wondering about the command you ran. Could you add in a --debug and post the results here?

Closing due to inactivity

I know this is closed, but while researching what appears to be the same issue, I noticed that is using an encrypted volume. This is why ec2:* doesn't work and karimtabet should definitely not give full access of *. karimtabet should have given kms access to the encryption key used. Recommend

            "kms:CreateGrant",
            "kms:ListGrants",
            "kms:RevokeGrant",
            "kms:Encrypt",
            "kms:Decrypt",
            "kms:ReEncrypt*",
            "kms:GenerateDataKey*",
            "kms:DescribeKey",
            "ec2:AttachVolume",
            "ec2:DescribeVolume*",
            "ec2:Describe*",
            "ec2:CreateVolume",
            "ec2:DescribeSnapshots",
            "ec2:AttachVolume"

Perfect. After all these months; that is the answer I was looking for! Thank you @pjudt

Do we think that boto should give us a more meaningful response when trying to create from an encrypted volume without the right permissions? Because currently, it claims it was a success when it was not.

@karimtabet I am facing this same problem. Was there any workaround or update? Thanks!

beside volume policies, grant following for kms
{
"Sid": "kms",
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:Describe",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncrypt"
],
"Resource": ""
}

This is still very much an issue.

I was attempting to create an encrypted volume and I was experiencing the same issues of the aws ec2 create-volume command giving a return code of zero but the volume never being created. In my case, my KMS key ID was incorrect.

This issue probably needs re-opened and looked at.

I'm using AWS CLI v2 version: aws-cli/2.0.37 Python/3.8.5 Darwin/19.6.0 source/x86_64