2 Answers
- Newest
- Most votes
- Most comments
0
After talking with support, the issue is that CreateSecurityGroup
in a non-default VPC requires that the requester be authorized to call CreateSecurityGroup
on that VPC. The VPC component of CreateSecurityGroup
does not, however, support filtering on aws:RequestTag
. The solution is to use two seperate statements, one which grants CreateSecurityGroup
on security-group/*
and one which grants CreateSecurityGroup
on the VPC(s).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/CreatedBy": "Controller" } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "ec2:CreateSecurityGroup", "Resource": "arn:aws:ec2:*:XXXXXXXXX:vpc/vpc-XXXXXXXXX" } { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "ec2:Describe*", "ec2:CreateTags" ], "Resource": "*" } ] }
answered 6 months ago
0
It states the required permission also needed is ec2:CreateTags
Does this user have the permission to CreateTags also?
Yes, the create tags permission is granted elsewhere. Tags are applied correctly when placed in the default VPC, which leads me to believe that's not the issue.
Relevant content
- asked 6 months ago
- Accepted Answerasked 2 years ago
- asked 2 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
This policy is exactly what I said. Just missing create tag. Resource is * basically.