Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

IAM Policy to access "Resource Group" using tags failing

0

Hi,
I'm trying to give access for tagged resources to IAM users.
I've tagged a few resources with "cs-namespace":"test1" and have created a "Resource Group" tagged with the same key value pair too.

The listing works but when my IAM user tried to access the tagged "Resource Group", it gives me a "Forbidden".

Could anyone suggest what I've missed?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Edited by: Yi Sheng Yap on Sep 30, 2019 6:21 PM

Themen
Sicherheit, Identität & Konformität
Tags
AWS Identity and Access Management
Sprache
English
Yi Sheng Yap
gefragt vor 5 Jahren3489 Aufrufe
2 Antworten
0
Akzeptierte Antwort

Hi,
if you add

"tag:GetResources"

The Resource Group will get displayed without any errors.

Here is the full policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Hope this helps!
-randy

RandyTakeshita
beantwortet vor 5 Jahren
0

Thanks Randy,

I managed to achieve my goal with your help.

Here's my final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:SearchResources",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Cheers.

Yi Sheng Yap
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt