IAM policies can be tricky but that is certainly not a reason to use your AWS root account credentials all over the place. In the test-kitchen-berks-api example I created a new user and granted it permissions for the kitchen-ec2 tests. This requires being much more explicit than authorizing ec2:RunInstances. The user needs to be able to tag the running instances and to prevent complications we limit the instance termination permissions.

To create a working policy, you'll want to use the iam-policy-generator and the iam-policy-simulator. The permissions required for this test are very well explained on the AWS Security Blog.

  1. iam-usercreate -u test-kitchen-berks-api -k
  2. iam-useruploadpolicy -f iam.json -p test-kitchen-berks-api-instances -u test-kitchen-berks-api

It should be noted that the restrictions in this policy are not secure in that they allow the tagging of all resources in the account and do not limit tags to instances created by this user. To force a tag onto a newly booted instance it would need to be applied to the AMI.