{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["ec2:Describe*", "ec2:CreateSnapshot"],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/test":"true"
}
},
"Effect": "Allow",
"Resource": "*"
}
]
}
This is the IAM policy I am using. If I take out the condition line it works fine so it's just down to that. I tagged the instance with the tag key "test" and set the value to "true". What am I doing incorrectly? I am using the ec2 api tools and using ec2-describe-volumes
to test
To attach an IAM role to an instanceOpen the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select the instance, choose Actions, Security, Modify IAM role. Select the IAM role to attach to your instance, and choose Save.
In general, policy changes take effect within 60 seconds. However, in some cases, it can take 7 minutes or more for changes to propagate across the system.
The aws:ResourceTag/tag-key condition key is used to compare the tag key-value pair specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.
You can use IAM to control how other users use resources in your AWS account, and you can use security groups to control access to your Amazon EC2 instances. You can choose to allow full use or limited use of your Amazon EC2 resources.
Not all EC2 actions allow resource-level permissions. Neither the Describe* actions nor CreateSnapshot are supported currently.
This lists the actions for EC2 that support resource-level permissions. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With