- Newest
- Most votes
- Most comments
The IAM Policy variable for "aws:RequestTag/${TagKey}" is used when you are creating a tag for a resource. For example, if you want to specify the key/value pairs that a resource is allowed to be tagged with, you can use the "aws:RequestTag/${TagKey}" variable in an IAM Policy to allow/deny specific tags.
For example, the following policy would allow you to apply the environment/prepod
tag on an EC2 instance:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:::instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": [
"production"
]
}
}
}
}
The "aws:RequestTag/${TagKey}" variable will not send the tags attached to an AWS resource to S3. For more information about this policy variable, please refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag
However, you can send the tags that are attached to a IAM Role to S3 using the "${aws:PrincipalTag/Name}" variable. For example, if you have an EC2 instance that is using an EC2 instance role, you can tag the EC2 instance role with the appropriate tags. Then, attach the following policy to the IAM Role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/${aws:PrincipalTag/Name}/"
}
}
For more information about the "${aws:PrincipalTag/Name}" variable, please refer to the following link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-principaltag
The devil is in the detail!
I've been setting the Name tag on the EC2 instance, thinking that the principal is the EC2 instance, but it's the IAM Role that's the principal. Once you realise this and reread the docs, it clearly states that it needs to be there.
Anyway, thanks for the help.
Relevant content
- Accepted Answerasked a month ago
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 18 days ago
- AWS OFFICIALUpdated 7 days ago