How can you restrict EC2 instances to assuming an IAM role based on the instance's tags?


I'd like my IAM role for an EC2 instance to only be assumed based on the instance's tags. Specifically, I have an Environment tag, and I only want e.g. an EC2 instance tagged with Environment=production to be able to assume my production role.

I'm attempting to do this via the IAM role's trust policy, but have not been able to build policy that allows for this. I've tried several variations of:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Environment": "production"

I've tried aws:ResourceTag, ec2:ResourceTag, aws:RequestTag, aws:PrincipalTag, and probably a few others to no avail.

When I have this condition in the trust policy, the EC2 console doesn't complain when I attach the profile to the instance, but the AWS CLI on the instance can't find any credentials unless I remove the condition from the trust policy.

Is there some reason the instance's tags are not usable in a trust policy? Is there another way to restrict EC2 assuming a role based on the instance tags?

2 Answers

Based on my experience with IAM, what you're looking to achieve isn't possible with existing functionality. Instead, I recommend creating and utilizing separate AWS accounts for production, staging, development, etc., and allowing only authorized individuals or teams access to those accounts. This is consistent with the AWS best practices recommendations we give to customers regularly, and ensures access to data and other resources is less likely to be accidentally granted to unauthorized parties.

answered 2 years ago
  • Thanks, but missing the point a bit. What if it wasn't environment, but cost center, or owner? There are pages and pages of AWS documentation about controlling access with tags, but in practice it doesn't seem to work anywhere that I've needed it.


I think I got what you are trying to achieve but not sure if the condition statement is in the right place here. In order to assign permissions to an Amazon EC2 Instance, you need to assign a IAM role to this EC2 Instance. Amazon EC2 uses an instance profile as a container for an IAM role.

See also the note for Instance Profiles: An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased.

What I would recommend is to look into:

  • Check out Tags for Instance Profiles to determine the matching role according to the EC2 Instance
  • Use condition statements in the IAM policies included with the Instance Profile. This approach would depend on the required policy, keep in mind quotas for IAM entities.
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions