IAM policies can be tricky but that is certainly not a reason to use your AWS root account credentials all over the place. In the test-kitchen-berks-api example I created a new user and granted it permissions for the kitchen-ec2 tests. This requires being much more explicit than authorizing
ec2:RunInstances. The user needs to be able to tag the running instances and to prevent complications we limit the instance termination permissions.
iam-usercreate -u test-kitchen-berks-api -k
iam-useruploadpolicy -f iam.json -p test-kitchen-berks-api-instances -u test-kitchen-berks-api
It should be noted that the restrictions in this policy are not secure in that they allow the tagging of all resources in the account and do not limit tags to instances created by this user. To force a tag onto a newly booted instance it would need to be applied to the AMI.