Adding UUID tag while creating certificates via ACM

Question

While creating a private certificate via ACM, i have added tag as
key: UUID
value: "xxxxx"

While adding a condition in IAMRolesAnywhere trust policy i added below:
"Condition": {
                "StringEquals": {
                    "aws:ResourceTag/UUID": "xxxxx"
                }
            }

If i do that, while generating temporary credentials, i get error:
2023/04/11 08:48:11 AccessDeniedException: Unable to assume role for arn:aws:iam::977695881:role/testIAMRolesAnywhere.

If i remove condition, it works fine.

Is there anything wrong with the condition?

Answer

That condition is testing the tags of the role, since that is the resource specified in the policy and the resource the policy is attached to.

Instead of testing the tag of a certificate, test the attributes that are extracted from the cert. See: [Trust policy](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html#trust-policy).

I would put it in the Subject Name Alternative, DirName, CommonName. But you will need to use the CLI to generate this as the console does not have this option. See: [issue-certificate](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm-pca/issue-certificate.html).

Adding UUID tag while creating certificates via ACM

관련 콘텐츠