Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

EC2 IAM Policy not working with ResourceTag

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": ["ec2:Describe*", "ec2:CreateSnapshot"],
"Condition": {
       "StringEquals": {
         "ec2:ResourceTag/test":"true"
       }
},
      "Effect": "Allow",
      "Resource": "*"

    }
  ]
}

This is the IAM policy I am using. If I take out the condition line it works fine so it's just down to that. I tagged the instance with the tag key "test" and set the value to "true". What am I doing incorrectly? I am using the ec2 api tools and using ec2-describe-volumes to test

like image 718
pmilb Avatar asked Feb 26 '14 18:02

pmilb


People also ask

How do I assign an IAM policy to an EC2 instance?

To attach an IAM role to an instanceOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select the instance, choose Actions, Security, Modify IAM role. Select the IAM role to attach to your instance, and choose Save.

How long does it take for IAM policy to take effect?

In general, policy changes take effect within 60 seconds. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.

What is AWS ResourceTag?

The aws:ResourceTag/tag-key condition key is used to compare the tag key-value pair specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.

What is the best method to give privilege to an EC2 instance to access other AWS?

You can use IAM to control how other users use resources in your AWS account, and you can use security groups to control access to your Amazon EC2 instances. You can choose to allow full use or limited use of your Amazon EC2 resources.


1 Answers

Not all EC2 actions allow resource-level permissions. Neither the Describe* actions nor CreateSnapshot are supported currently.

This lists the actions for EC2 that support resource-level permissions. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html

like image 93
Bribles Avatar answered Sep 21 '22 10:09

Bribles