Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IAM Policy using Condition ec2:ResourceTag not working

Tags:

amazon-web-services

amazon-ec2

amazon-iam

I have n x EC2 instances that I wish to limit ec2 actions to instances with the same key/value tag (I.E. platform=dev).

I'm looking at doing this using an IAM Policy attached to the group their default IAM user is in.

Policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/tag:platform": "dev"
            }
        }
    }
]}

I set this up as per the online AWS docs: Example Policies for Working With the AWS CLI or an AWS SDK

I check it in the Policy Simulator and it works as expected (pass in a dev and it's allowed, otherwise denied).

Then on one of the servers with the tag key/pair of platform=dev, I run aws ec2 describe-instances I get the response:

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

but if I remove the Condition it works. I don't understand what I'm doing wrong. Any help would be gratefully received!

like image 916
the4thv Avatar asked Dec 17 '16 15:12

the4thv

People also ask

What is EC2 ResourceTag?

iam:ResourceTag or ec2:ResourceTag are service specific condition keys, in this case iam and ec2 respectively. You can check all supported keys of each service in Actions, resources, and condition keys for AWS services. Follow this answer to receive notifications.

How do I give an IAM user access to a specific EC2 instance?

Open the Amazon EC2 console, and then add tags to the group of EC2 instances that you want the users or groups to be able to access. If you don't already have a tag, create a new tag. Note: Be sure to read and understand the tag restrictions before tagging your resources. Amazon EC2 tags are case-sensitive.

What is the best method to give privilege to an EC2 instance to access other AWS?

You can use IAM to control how other users use resources in your AWS account, and you can use security groups to control access to your Amazon EC2 instances. You can choose to allow full use or limited use of your Amazon EC2 resources.

1 Answers

The problem is that not every API Action & Resource will accept the ec2:ResourceTag/tag in the condition.

I think you're probably granting overly-broad permissions (Action: ec2:*), so figure out what actions your instances will need do, and then decide how to restrict them.

The list of actions, resources and conditions keys can be found at Supported Resource-Level Permissions for Amazon EC2 API Actions.

like image 87
chris Avatar answered Nov 01 '22 16:11

chris
Sign in to Comment

Related questions

AWS Elastic Beanstalk .ebextensions order of precedence
Can AWS CloudFormation call the AWS API?
Unable to compile AWS CustomIdentityProvider on xcode 8 beta 6
How to use a second Elastic Network Interface on the same subnet
How to create application load balancer on aws for kubernetes
Can we verify (or have ) same domain in Amazon SES from different AWS account?
How to get client ip from node.js express application deployed on AWS Elastic beanstalk?
Is there a way to create AWS Dashboard using cloudformation or AWS CLI
AWS Lambda function was trigger twice by CloudWatch event
Aws passing credentials to ansible s3 module
Failed to run a Shiny app on AWS Ubuntu instance. xdg-open: no method available for opening 'http://127.0.0.1:3572'
DynamoDB: can we use encryption and cross-region replication together?
Getting "The authorization grant type is not supported by the authorization server" from amazon
Spark step on EMR just hangs as "Running" after done writing to S3
Files deleted or modified between git revisions are automatically getting deleted from instances
Updating rather than replacing ECS Task Definition with CloudFormation
AWS Java SDK - NoSuchMethodError in Jackson when using Region methods
HTTP request body not getting to AWS lambda function via AWS API Gateway
Error in AWS codepipeline when deploying ElasticBeanstalk
Substituting variables in Ansible playbook for EC2 security group rules

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!