Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

IAM Policy to access "Resource Group" using tags failing

0

Hi,
I'm trying to give access for tagged resources to IAM users.
I've tagged a few resources with "cs-namespace":"test1" and have created a "Resource Group" tagged with the same key value pair too.

The listing works but when my IAM user tried to access the tagged "Resource Group", it gives me a "Forbidden".

Could anyone suggest what I've missed?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Edited by: Yi Sheng Yap on Sep 30, 2019 6:21 PM

Tópicos
Segurança, identidade e conformidade
Tags
AWS Identity and Access Management
Idioma
English
Yi Sheng Yap
feita há 5 anos3486 visualizações
2 Respostas
0
Resposta aceita

Hi,
if you add

"tag:GetResources"

The Resource Group will get displayed without any errors.

Here is the full policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Hope this helps!
-randy

RandyTakeshita
respondido há 5 anos
0

Thanks Randy,

I managed to achieve my goal with your help.

Here's my final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:SearchResources",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Cheers.

Yi Sheng Yap
respondido há 5 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante