使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

IAM Policy to access "Resource Group" using tags failing

0

Hi,
I'm trying to give access for tagged resources to IAM users.
I've tagged a few resources with "cs-namespace":"test1" and have created a "Resource Group" tagged with the same key value pair too.

The listing works but when my IAM user tried to access the tagged "Resource Group", it gives me a "Forbidden".

Could anyone suggest what I've missed?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Edited by: Yi Sheng Yap on Sep 30, 2019 6:21 PM

主題
安全性、身分識別與合規
標籤
AWS Identity and Access Management
語言
English
Yi Sheng Yap
已提問 5 年前檢視次數 3486 次
2 個答案
0
已接受的答案

Hi,
if you add

"tag:GetResources"

The Resource Group will get displayed without any errors.

Here is the full policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:ListGroups",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:GetGroup",
                "resource-groups:SearchResources"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Hope this helps!
-randy

RandyTakeshita
已回答 5 年前
0

Thanks Randy,

I managed to achieve my goal with your help.

Here's my final policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceGroupList",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        },
        {
            "Sid": "ResourceGroupView",
            "Effect": "Allow",
            "Action": [
                "resource-groups:ListGroupResources",
                "resource-groups:GetGroup",
                "resource-groups:SearchResources",
                "resource-groups:GetGroupQuery",
                "resource-groups:GetTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "aws:ResourceTag/cs-namespace": "test1"
                }
            }
        }
    ]
}

Cheers.

Yi Sheng Yap
已回答 5 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容