Using 'aws:RequestTag' in policy not working as expected

Question

We've created an IAM policy designed to allow creation of S3 buckets from the Service Catalog, but deny from S3 console unless a specific tag is used.

For that intent we build the policy as follow:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:CreateBucket",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/TrustTag": "TrustValue"
                }
            }
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::*",
                "arn:aws:s3:::*/*"
            ]
        }
    ]
}
```
The policy is not working as it blocks the bucket creation even if the tag is included.

Is there another way to do this?

Riku_Kobayashi · Accepted Answer

The following document shows that there is no "RequestTag" in the "CreateBucket" condition key, so I don't think it is possible to restrict creation by tag.  
https://docs.aws.amazon.com/ja_jp/service-authorization/latest/reference/list_amazons3.html

As far as I know, there is no other way.

Using 'aws:RequestTag' in policy not working as expected

Add your answer

Relevant content