IAM Policy to access "Resource Group" using tags failing

Question

Hi,  
I'm trying to give access for tagged resources to IAM users.  
I've tagged a few resources with "cs-namespace":"test1" and have created a "Resource Group" tagged with the same key value pair too.  
  
The listing works but when my IAM user tried to access the tagged "Resource Group", it gives me a "Forbidden".   
  
Could anyone suggest what I've missed?

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}
```

Edited by: Yi Sheng Yap on Sep 30, 2019 6:21 PM

Accepted Answer

Hi,  
if you add

```
"tag:GetResources"
```

The Resource Group will get displayed without any errors.   
  
Here is the full policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}
```

Hope this helps!  
-randy

Answer

Thanks Randy,  
  
I managed to achieve my goal with your help.  
  
Here's my final policy:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:SearchResources",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}
```

Cheers.

IAM Policy to access "Resource Group" using tags failing

관련 콘텐츠