https://aws.amazon.com/premiumsupport/knowledge-center/ec2-not-auth-launch/
Resolution
1. Verify that the AWS CLI is installed and configured on your machine with the following command:
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
2. Run the decode-authorization-message command. Replace encoded-message with the exact encoded message contained in the error message.
3. The decoded message lists the required permissions that are missing from the IAM role or user policy.
Example encoded message:
Launch Failed – You are not authorized to perform this operation. Encoded authorization failure message: 4GIOHlTkIaWHQD0Q0m6XSnuUMCm-abcdefghijklmn-abcdefghijklmn-abcdefghijklmn
Example decoded message:
"DecodedMessage":
"{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"ABCDEFGHIJKLMNO","name":"AWS-User",
"arn":"arn:aws:iam::accountID:user/test-user"},"action":"iam:PassRole",
"resource":"arn:aws:iam::accountID:role/EC2_instance_Profile_role","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-2"}]}},
{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/EC2_instance_Profile_role"}]}},
{"key":"iam:RoleName","values":{"items":[{"value":"EC2_instance_Profile_role"}]}},{"key":"aws:Account","values":{"items":[{"value":"accountID"}]}},
{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam::accountID:role/EC2_instance_Profile_role"}]}}]}}}"
}