What is AWS Dry-Run?
Updated: Jul 11
Sometimes, we want to know if we have the necessary permissions to execute a certain command, but we don’t need to execute it. And, let’s say, for some reason, we can’t access IAM and check our permissions. For this, we have --dry-run, a parameter that applies to some commands we can use in our AWS CLI.
How do we run dry run?
Suppose we want to know if our user has the necessary permissions to run instances. We have a test user, teratip.
A correct example of run-instances would be something like this:
aws ec2 run-instances --image-id ami-02edf5731752693cc --instance-type t2.micro
But we don't want to run this, because if we have the correct permissions the instance will be created, and our billing will be affected. So let’s add --dry run to the command and see what happens
aws ec2 run-instances --dry-run --image-id ami-02edf5731752693cc --instance-type t2.micro
This message indicates that an error occurred when calling the RunInstances operation and the request would have been successful but we have specified the --dry-run flag. This is the correct behavior when we have the proper permissions for the operation.
Now, using a user that does have access to IAM, let’s check the policy assigned to the Teratip user:
As we can see, the Teratip user has the correct permissions to execute the ec2 run-instances command.
Now, let’s do a test, and remove the assigned policy from the user, and see what happens when we execute the command:
As we can see, then the operation is executed with --dry-run, and we don’t have the necessary permissions, we get a long error like this.
This is a great way to test our API calls without affecting your billing.
Rodrigo González
DevOps Engineer
Teracloud
Follow us on our social networks for more TeraTips