IAM Policy to access "Resource Group" using tags failing

0

Hi,
I'm trying to give access for tagged resources to IAM users.
I've tagged a few resources with "cs-namespace":"test1" and have created a "Resource Group" tagged with the same key value pair too.

The listing works but when my IAM user tried to access the tagged "Resource Group", it gives me a "Forbidden".

Could anyone suggest what I've missed?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Edited by: Yi Sheng Yap on Sep 30, 2019 6:21 PM

asked 5 years ago4152 views
2 Answers
0
Accepted Answer

Hi,
if you add

"tag:GetResources"

The Resource Group will get displayed without any errors.

Here is the full policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Hope this helps!
-randy

EXPERT
answered 5 years ago
0

Thanks Randy,

I managed to achieve my goal with your help.

Here's my final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:SearchResources",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Cheers.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions