2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
0
After talking with support, the issue is that CreateSecurityGroup
in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup
on that VPC. The VPC component of CreateSecurityGroup
does not, however, support filtering on aws:RequestTag
. The solution is to use two seperate statements, one which grants CreateSecurityGroup
on security-group/*
and one which grants CreateSecurityGroup
on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
답변함 6달 전
0
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
This policy is exactly what I said. Just missing create tag. Resource is * basically.