By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Policy Condition StringEquals doesn't work well.

0

I'd like to access EC2 Instances by EC2 Tags of Condition. When I applied below Policy, it doesn't work properly. Please let me know how to fix it.

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. is not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/aws:eks:cluster-name": CLUSTER_NAME"
                }
            }
        }
    ]
}
Topics
Security, Identity, & ComplianceCompute
Tags
AWS Identity and Access ManagementAmazon EC2IAM Policies
Language
English
profile picture
namejsjeongkr
asked 6 months ago371 views
1 Answer
1

Hello.

Looking at the following document, "ec2:DescribeInstances" cannot use "ec2:ResourceTag".
"ec2:ResourceTag" can only be used in actions that are included in the "Condition keys" column of the following documents.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-policy-keys

profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content