2回答
- 新しい順
- 投票が多い順
- コメントが多い順
0
After talking with support, the issue is that CreateSecurityGroup
in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup
on that VPC. The VPC component of CreateSecurityGroup
does not, however, support filtering on aws:RequestTag
. The solution is to use two seperate statements, one which grants CreateSecurityGroup
on security-group/*
and one which grants CreateSecurityGroup
on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
回答済み 6ヶ月前
0
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
関連するコンテンツ
- 質問済み 6年前
This policy is exactly what I said. Just missing create tag. Resource is * basically.