By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Adding a condition to an IAM Permission causes ec2:CreateImage to not be authorized

0

So I have a SSO Role, and I added ec2:CreateImage to the permission set attached to it, and resource is "*". It works fine. As soon as I add a condition like "StringEquals", with the condition being a tag, i.e. aws:ResourceTag/Example, it will not work. It does not have some explicit deny etc. The tag value is correct. I've tried different key,values to rule out spelling errors or some silly mistake.

I have tested this in two different environments and I trouble shooted using the Policy Builder (So no syntax issues). I have double checked by deleting the permission (and seeing it blocked), adding the bare permission without conditions (it passes), and then adding a condition (it then fails).

I dont see anything in the documentation or dependencies that would cause this to fail. Any reason?

  • simon
    a year ago

    For clarity, can you post an excerpt of the policy json that you are trying to troubleshoot?

Topics
Security, Identity, & ComplianceCompute
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAmazon EC2IAM Policies
Language
English
AWSKid2k
asked a year ago544 views
1 Answer
1

Reading your question, it sounds like you are trying to specify Resource:* when using the ConditionKey aws:ResourceTag/${TagKey}. For the action ec2:CreateImage, you must also specify which Resource type when using this ConditionKey. In this case, the Resource type is instance as the other supported Resource type image does not support this ConditionKey.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-policy-keys

If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For example, to match tags on all ec2 instances in an account with ID 111111111111, we must specify "Resource": "arn:aws:ec2:*: 111111111111:instance/*"

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*:111111111111:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/TAG_KEY": "TAG_VALUE"
                }
            }
        }
    ]
}```
profile pictureAWS
simon
answered a year ago
  • AWSKid2k
    a year ago

    Hi Simon,

    I tried that and used the following policy with an example account #, unfortunately it did not work. Is there any possibility that SSO may be conflicting with this? Or that there are dependent permissions? I couldn't see anything amiss in the docs

            {
            "Sid": "CreateImageCustom",
            "Effect": "Allow",
            "Action": "ec2:CreateImage",
            "Resource": "arn:aws:ec2:*:111111111111:instance/*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/Example": "ExampleValue"
                }
            }
        }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content