By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

IAM Statement for adding/managing tags on resources

0

Hello! I'm trying to add IAM permissions so that I can manage tags for some resources, but some have an error (Invalid Action, the action doesn't exist), such as ELB, CloudWatch log groups and Route53. I tried the following IAM:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
              "elasticloadbalancing: AddTags",
              "elasticloadbalancing: RemoveTags",
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
              "logs: TagLogGroup",
              "logs: UntagLogGroup",
               "logs: TagResource",
               "logs: UntagResource",
      ],
      "Resource": "*"
    },
   {
      "Effect": "Allow",
      "Action": [
              "route53:ChangeTagsForResource",
              "route53:ListTagsForResource",
              "route53:DeleteTagsForDomain",
              "route53:ListTagsForDomain",
              "route53:TagResource",
              "route53:UntagResource",
      ],
      "Resource": "*"
    }

I saw that for Load Balancer I can't add tags if I don't have permission to create target group (CreateTargetGroup) and load balancer (CreateLoadBalancer). Do I need these two permissions or is just CreateTargetGroup enough? What would the log groups and route 53 statement look like? Thanks!

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryManagement & Governance
Tags
AWS Identity and Access ManagementElastic Load BalancingAmazon Route 53IAM PoliciesLog Groups
Language
English
natte
asked 5 months ago202 views
1 Answer
0

There are some format errors here. the action names should not have spaces between the service namespace and the action name. Remove the spaces between "elasticloadbalancing:" and "AddTags"/"RemoveTags" for the ELB-related actions. Also, ensure that there is a comma between each action within the list, but no comma at the end of array.

I took another another look and I found there are no actions of types:

"route53:DeleteTagsForDomain",

"route53:ListTagsForDomain",

"route53:TagResource",

"route53:UntagResource"

I corrected the policy. Try it and let me know

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs: TagLogGroup",
                "logs: UntagLogGroup",
                "logs:TagResource",
                "logs:UntagResource"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeTagsForResource",
                "route53:ListTagsForResource",
                "route53domains:UpdateTagsForDomain",
                "route53domains:ListTagsForDomain",
                "route53domains:DeleteTagsForDomain"
            ],
            "Resource": "*"
        }
    ]
}
profile pictureAWS
AmerO
answered 5 months ago
profile picture
EXPERT
Gary Mclean
reviewed 5 months ago
profile picture
EXPERT
Kallu
reviewed 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content