- Newest
- Most votes
- Most comments
Reading your question, it sounds like you are trying to specify Resource:*
when using the ConditionKey aws:ResourceTag/${TagKey}
. For the action ec2:CreateImage
, you must also specify which Resource type when using this ConditionKey. In this case, the Resource type is instance
as the other supported Resource type image
does not support this ConditionKey.
If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
For example, to match tags on all ec2 instances in an account with ID 111111111111, we must specify "Resource": "arn:aws:ec2:*: 111111111111:instance/*"
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateImage",
"Resource": "arn:aws:ec2:*:111111111111:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/TAG_KEY": "TAG_VALUE"
}
}
}
]
}```
Hi Simon,
I tried that and used the following policy with an example account #, unfortunately it did not work. Is there any possibility that SSO may be conflicting with this? Or that there are dependent permissions? I couldn't see anything amiss in the docs
{ "Sid": "CreateImageCustom", "Effect": "Allow", "Action": "ec2:CreateImage", "Resource": "arn:aws:ec2:*:111111111111:instance/*", "Condition": { "StringEquals": { "aws:ResourceTag/Example": "ExampleValue" } } }
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
For clarity, can you post an excerpt of the policy json that you are trying to troubleshoot?