Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can an aws IAM policy dynamically refer to the logged in username?

I am trying to write an IAM policy which will control access to EC2 instances. All EC2 instances will have a custom tag called username and only if the tag value matches the logged in user's user name, will that user have access to that EC2 instance. This is what I came up with:

{
    "Version": "2012-10-12",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/username": "arn:aws:iam::account-number-without-hyphens:user/username1"
                }
            }
        }
    ]
}

I am sure you see the problem here. I don't want to hard code the username value on the right hand side. I want to be able to get that information at runtime or policy evaluation time.

Is it possible to do so?

like image 311
Silent User Avatar asked Mar 20 '23 20:03

Silent User


1 Answers

The IAM user can be referred to in policy documents by ${aws:username}.

There is a list of other IAM policy variables and their uses here:

http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html

like image 76
Jim Flanagan Avatar answered Apr 24 '23 16:04

Jim Flanagan