What is AWS Dry-Run?
Updated: Jul 11, 2024
Sometimes, we want to know if we have the necessary permissions to execute a certain command, but we don’t need to execute it. And, let’s say, for some reason, we can’t access IAM and check our permissions. For this, we have --dry-run, a parameter that applies to some commands we can use in our AWS CLI.
![Bearded man beside a title about AWS Dry Run](https://static.wixstatic.com/media/eabb33_17795cb9f9eb41d889499c5f7499819e~mv2.png/v1/fill/w_52,h_32,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_avif,quality_auto/eabb33_17795cb9f9eb41d889499c5f7499819e~mv2.png)
How do we run dry run?
Suppose we want to know if our user has the necessary permissions to run instances. We have a test user, teratip.
A correct example of run-instances would be something like this:
aws ec2 run-instances --image-id ami-02edf5731752693cc --instance-type t2.micro
But we don't want to run this, because if we have the correct permissions the instance will be created, and our billing will be affected. So let’s add --dry run to the command and see what happens
aws ec2 run-instances --dry-run --image-id ami-02edf5731752693cc --instance-type t2.micro
![""](https://static.wixstatic.com/media/eabb33_1d9b2c14f276489eac141811453b7f8d~mv2.jpg/v1/fill/w_147,h_6,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_avif,quality_auto/eabb33_1d9b2c14f276489eac141811453b7f8d~mv2.jpg)
This message indicates that an error occurred when calling the RunInstances operation and the request would have been successful but we have specified the --dry-run flag. This is the correct behavior when we have the proper permissions for the operation.
Now, using a user that does have access to IAM, let’s check the policy assigned to the Teratip user:
![""](https://static.wixstatic.com/media/eabb33_52ba83fa4247468fbe2faf9999177f2a~mv2.png/v1/fill/w_124,h_110,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_avif,quality_auto/eabb33_52ba83fa4247468fbe2faf9999177f2a~mv2.png)
As we can see, the Teratip user has the correct permissions to execute the ec2 run-instances command.
Now, let’s do a test, and remove the assigned policy from the user, and see what happens when we execute the command:
As we can see, then the operation is executed with --dry-run, and we don’t have the necessary permissions, we get a long error like this.
This is a great way to test our API calls without affecting your billing.
![""](https://static.wixstatic.com/media/a093e4_3248e99813d343a28d845694b1670666~mv2.jpg/v1/fill/w_76,h_78,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_avif,quality_auto/a093e4_3248e99813d343a28d845694b1670666~mv2.jpg)
Rodrigo González
DevOps Engineer
Teracloud
Follow us on our social networks for more TeraTips