- Newest
- Most votes
- Most comments
Hello.
which stands for "", is AWS saying we can scope this action 2 ways or we have to include "AcceptAddressTransfer" action both on "elastic-ip" ARN with condition mentioned in condition block and with resource "*" for condition mention against it ?
If you set the ARN of "elastic-ip*" in the resource section, you can use "aws:RequestTag/${TagKey}" etc. listed in the "Condition keys" column.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptAddressTransfer",
"Resource": "arn:${Partition}:ec2:${Region}:${Account}:elastic-ip/${AllocationId}",
"Condition": {
"StringEquals": {
"aws:RequestTag/test": "test"
}
}
}
]
}
If the resource section is empty (that is, "*"), only "ec2:Region" can be set in "Condition keys".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:AcceptAddressTransfer",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
}
]
}
ok but when I am using aws:RequestTag with RunInstances, I am still getting access denied, here is my policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "ThisActionSupportsResourceLevelPermissionsWithInstancesButNotWithTags",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroup*",
"ec2:RevokeSecurityGroup*"
],
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT:key-pair/*",
"arn:aws:ec2:us-east-1:ACCOUNT:security-group/*",
"arn:aws:ec2:us-east-1:ACCOUNT:volume/*",
"arn:aws:ec2:us-east-1::image/ami-*",
"arn:aws:ec2:us-east-1:ACCOUNT:vpc/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:us-east-1:ACCOUNT:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/Name": "*test*"
}
}
},
{
"Sid": "TheseActionsSupportResourceLevelPermissionsWithInstancesAndTags",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:ACCOUNT:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "*test*"
}
}
},
{
"Effect": "Allow",
"Action": [
"sts:DecodeAuthorizationMessage",
"cloudshell:*"
],
"Resource": [
"*"
]
}
]
}
This is the error i get You are not authorized to perform this operation. User: arn:aws:iam::ACCOUNT:user/USER is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:us-east-1:ACCOUNT:instance/* because no identity-based policy allows the ec2:RunInstances action.
There are two "ec2:RunInstances", but try deleting "ec2:RunInstances" in the first statement.
ok, so with elastic-ip ARN all the condition in the condition column are supported with all the condition mention in condition table against the elastic-ip ARN ? If that is the case then why RunInstance with instance ARN doesn't support condition even tho condition are mentioned in condition column ?
After removing the ec2:RunInstancesfrom statement one , I am still getting the same error.
Relevant content
- asked 8 months ago
- asked 3 months ago
- asked 3 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
Not everything listed in the condition table is supported. In the case of "ec2:RunInstance", the only condition keys supported by "instance*" are those listed in the image below. For example, in the case of "ec2:RunInstance", even if "instance*" is specified in the resource section, "aws:ResourceTag/${TagKey}" cannot be used.