2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
0
After talking with support, the issue is that CreateSecurityGroup
in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup
on that VPC. The VPC component of CreateSecurityGroup
does not, however, support filtering on aws:RequestTag
. The solution is to use two seperate statements, one which grants CreateSecurityGroup
on security-group/*
and one which grants CreateSecurityGroup
on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
respondido hace 6 meses
0
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
This policy is exactly what I said. Just missing create tag. Resource is * basically.