Cannot perform `ec2:CreateSecurityGroup` on non-default vpc with `aws:ResourceTag` conditions in IAM policy
I have the following policy snippet in IAM:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } } ] }
This works for the default VPC, allowing the user to create a security group, only if the tag CreatedBy is set to the correct value.
$ aws ec2 create-security-group --group-name test-sg-2 --description "test" --region us-west-2 --profile controller-test --tag-specification 'ResourceType=security-group,Tags=[{Key=CreatedBy,Value=Controller}]' { "GroupId": "sg-XXXXXXXXXXXXXX", "Tags": [ { "Key": "CreatedBy", "Value": "Controller" } ] }
However, when running against a non-default VPC, an opaque permission denied error is returned
$ aws ec2 create-security-group --vpc-id vpc-XXXXXXXXXX --group-name test-sg-2 --description "test" --region us-west-2 --profile controller-test --tag-specification 'ResourceType=security-group,Tags=[{Key=CreatedBy,Value=Controller}]' An error occurred (UnauthorizedOperation) when calling the CreateSecurityGroup operation: You are not authorized to perform this operation. User: arn:aws:iam::XXXXXXXXX:user/test-controller is not authorized to perform: ec2:CreateSecurityGroup on resource: arn:aws:ec2:us-west-2:XXXXXXXX:vpc/vpc-XXXXXXXXX because no identity-based policy allows the ec2:CreateSecurityGroup action.
Removing the condition for request tags allows the user to create the SG as you'd expect. The policy simulator claims that this policy should work, but for some reason it isn't.
I've tried adding an explicit permission grant to the VPC with Resources=["arn:aws:ec2:::security-group/*","arn:aws:ec2:::vpc/vpc-XXXXXXXX"] in the policy, various tweaks to the condition block, and half a dozen other things I've forgotten at this point, but as far as I can tell having a condition on RequestTag just breaks non-default VPC deployment, even though it's listed as a supported condition in the IAM conditions list
What am I missing here?
- Newest
- Most votes
- Most comments
After talking with support, the issue is that CreateSecurityGroup in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup on that VPC. The VPC component of CreateSecurityGroup does not, however, support filtering on aws:RequestTag. The solution is to use two seperate statements, one which grants CreateSecurityGroup on security-group/* and one which grants CreateSecurityGroup on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
Relevant content
- asked 6 months ago
- Accepted Answerasked 2 years ago
- asked 2 months ago
- asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 5 months ago
This policy is exactly what I said. Just missing create tag. Resource is * basically.