How do I permit access to S3 via EC2 role and EC2 instance tagging

1

I'm trying to create a policy that will allow an EC2 instance access to a s3 bucket and prefix controlled via the Name tag on the EC2 instance. It feels like I should be able to create a policy similar to the below, but it isn't working. I get a 'PutObject operation: Access Denied' when I try and create an object.

My EC2 instance has a non-blank Name tag. If the ${aws:RequestTag/Name} portion from the Resource list, the EC2 instance can put files, but with the variable, the action fails. I'm trying to limit the s3 object prefix to include the value of the EC2 instance tag name

The policy I'm trying to use is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-backups-sn/${aws:RequestTag/Name}/*"
        }
    ]
 }

From my ec2 instance I've executing the following, where the instance has Name=inst_name defined in the AWS control panel:

aws s3 cp my_file s3://my-backups-sn/inst_name/my_file.txt

Any guidance is gratefully accepted

2 Answers
1
Accepted Answer

The IAM Policy variable for "aws:RequestTag/${TagKey}" is used when you are creating a tag for a resource. For example, if you want to specify the key/value pairs that a resource is allowed to be tagged with, you can use the "aws:RequestTag/${TagKey}" variable in an IAM Policy to allow/deny specific tags.

For example, the following policy would allow you to apply the environment/prepod tag on an EC2 instance:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "ec2:CreateTags",
    "Resource": "arn:aws:ec2:::instance/*",
    "Condition": {
      "StringEquals": {
        "aws:RequestTag/environment": [
          "production"
        ]
      }
    }
  }
}

The "aws:RequestTag/${TagKey}" variable will not send the tags attached to an AWS resource to S3. For more information about this policy variable, please refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag

However, you can send the tags that are attached to a IAM Role to S3 using the "${aws:PrincipalTag/Name}" variable. For example, if you have an EC2 instance that is using an EC2 instance role, you can tag the EC2 instance role with the appropriate tags. Then, attach the following policy to the IAM Role:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/${aws:PrincipalTag/Name}/"
  }
}

For more information about the "${aws:PrincipalTag/Name}" variable, please refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag

profile pictureAWS
answered 2 years ago
profile picture
EXPERT
reviewed 3 months ago
1

The devil is in the detail!

I've been setting the Name tag on the EC2 instance, thinking that the principal is the EC2 instance, but it's the IAM Role that's the principal. Once you realise this and reread the docs, it clearly states that it needs to be there.

Anyway, thanks for the help.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions