Menu
I am trying to create an IAM policy that gives users complete access to dynamodb with the caveat that the tables must have the tag Stage with value Dev on it. Basically you can create a table but you should add tag Stage with value Dev on it. You can view/update etc only those tables that have tag as Stage=Dev.
AWS documentation mentions a way to do that easily using Global Context Keys: aws:ResourceTag
But when I use the visual editor I can't find the key in the list of context keys. If I manually edit the JSON and add the same, I am getting the warning condition key is not supported
Here is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "OnlyDynamoDBWithTagValueDev",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:*:accountnumber:table/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Stage": "Dev"
}
}
}
]}
What I might be doing wrong here?
920
The aws:ResourceTag/tag-key condition key is used to compare the tag key-value pair specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.
The policy of Power User provides full access to all of the resources in IAM. This particular set of authorizations gives access to the resources and services of AWS but restricts any access to the management of groups and users.
The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.
AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.
I think you are not doing anything wrong. AWS documentation is just incorrect and misleading. aws:ResourceTag is not a global condition key as stated here.
Global condition keys are condition keys with an aws: prefix. AWS services can provide service-specific keys that include the service prefix. For example, IAM condition keys include the iam: prefix.
According to the documentation, any condition with aws: prefix is a global one. However, if you view conditions for other services, e.g IOT, you will see a service-specific condition with aws: prefix, which conflicts with the documentation.
Whereas, ECR lists both ecr:ResourceTag and aws:ResourceTag conditions as service-specific conditions.
EC2, on the other hand, only has ec2:ResourceTag. RDS has rds:db-tagfor the same purpose. However, DynamoDb has no service-specific tags for this purpose.
In short, aws:ResourceTag is not a global condition key. Some services create service-specific tags with aws: prefix, even though they are not supposed to do so to align with AWS naming conventions.
I recommend that you create a separate account for development resources. If you can't do that, you can try changing the logic in your policy as a workaround, e.g. instead of tag conditions, apply naming conventions in your policies, e.g. any table that starts with dev_.
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
