AWS Group Inline Policy Limit Access For Specific Resources with TagsAre there Amazon EC2 IAM Policy Actions for Tags?aws ec2 create-tags with quotesAWS IAM policy issue: unable to permit all but RunInstancesAWS RDS CLI: AccessDenied on CreateDBSnapshotFind minimal policies in AWS that user needsaws ec2 describe-instances not allowed in user-data?AWS CLI - How do I list instances and dump two specific tags along with other itemsGet all AWS resources via cli with some tagAWS: How to create auto tags for resources created by a specific groupSearching AWS AutoScalingGroup resources by tags
Is the use of umgeben in the passive unusual?
Is it possible to fly backward if you have really strong headwind?
What does the pair of vertical lines in empirical entropy formula mean?
What STL algorithm can determine if exactly one item in a container satisfies a predicate?
Why do radiation hardened IC packages often have long leads?
If there's something that implicates the president why is there then a national security issue? (John Dowd)
Can I utilise a baking stone to make crepes?
Solving ‘Null geometry…’ error during distance matrix operation?
How can I make 12 tone and atonal melodies sound interesting?
How to write a convincing religious myth?
Why we don’t make use of the t-distribution for constructing a confidence interval for a proportion?
How to make the letter "K" that denote Krylov space
Why does this query, missing a FROM clause, not error out?
Separate SPI data
Analogy between an unknown in an argument, and a contradiction in the principle of explosion
Can a human be transformed into a Mind Flayer?
I have a problematic assistant manager, but I can't fire him
Increase speed altering column on large table to NON NULL
How to befriend someone who doesn't like to talk?
Do people with slow metabolism tend to gain weight (fat) if they stop exercising?
Who is "He that flies" in Lord of the Rings?
How can I spread content from an ancient text without governmental supervision?
The usage of kelvin in formulas
Why did Intel abandon unified CPU cache?
AWS Group Inline Policy Limit Access For Specific Resources with Tags
Are there Amazon EC2 IAM Policy Actions for Tags?aws ec2 create-tags with quotesAWS IAM policy issue: unable to permit all but RunInstancesAWS RDS CLI: AccessDenied on CreateDBSnapshotFind minimal policies in AWS that user needsaws ec2 describe-instances not allowed in user-data?AWS CLI - How do I list instances and dump two specific tags along with other itemsGet all AWS resources via cli with some tagAWS: How to create auto tags for resources created by a specific groupSearching AWS AutoScalingGroup resources by tags
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have created development group on which I want to impose group inline policy that would allow each member to be able to describe EC2 instances that have a tag with a Key "Product" that has a value equal to "TestProduct".
The below shown example doesn't grant the required access, where if I leave resosurce * it works, so it is something on the way I define it not the credentials or above level.
"Version": "2012-10-17",
"Statement": [
"Sid": "XXXX",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Condition":
"StringEquals":
"ec2:ResourceTag/Product": "TestProduct"
]
The error I receive in aws cli is:
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
amazon-web-services amazon-ec2 aws-cli
edited May 26 at 2:42
Matt Houser
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
add a comment |
I have created development group on which I want to impose group inline policy that would allow each member to be able to describe EC2 instances that have a tag with a Key "Product" that has a value equal to "TestProduct".
The below shown example doesn't grant the required access, where if I leave resosurce * it works, so it is something on the way I define it not the credentials or above level.
"Version": "2012-10-17",
"Statement": [
"Sid": "XXXX",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Condition":
"StringEquals":
"ec2:ResourceTag/Product": "TestProduct"
]
The error I receive in aws cli is:
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
amazon-web-services amazon-ec2 aws-cli
edited May 26 at 2:42
Matt Houser
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
add a comment |
I have created development group on which I want to impose group inline policy that would allow each member to be able to describe EC2 instances that have a tag with a Key "Product" that has a value equal to "TestProduct".
The below shown example doesn't grant the required access, where if I leave resosurce * it works, so it is something on the way I define it not the credentials or above level.
"Version": "2012-10-17",
"Statement": [
"Sid": "XXXX",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Condition":
"StringEquals":
"ec2:ResourceTag/Product": "TestProduct"
]
The error I receive in aws cli is:
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
amazon-web-services amazon-ec2 aws-cli
edited May 26 at 2:42
Matt Houser
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
I have created development group on which I want to impose group inline policy that would allow each member to be able to describe EC2 instances that have a tag with a Key "Product" that has a value equal to "TestProduct".
The below shown example doesn't grant the required access, where if I leave resosurce * it works, so it is something on the way I define it not the credentials or above level.
"Version": "2012-10-17",
"Statement": [
"Sid": "XXXX",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*",
"Condition":
"StringEquals":
"ec2:ResourceTag/Product": "TestProduct"
]
The error I receive in aws cli is:
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
amazon-web-services amazon-ec2 aws-cli
amazon-web-services amazon-ec2 aws-cli
edited May 26 at 2:42
Matt Houser
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
edited May 26 at 2:42
Matt Houser
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
edited May 26 at 2:42
Matt Houser
7,9791519
edited May 26 at 2:42
Matt Houser
7,9791519
edited May 26 at 2:42
Matt Houser
7,9791519
7,9791519
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
asked May 25 at 20:38
Daniel JohnsDaniel Johns
155
155
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
The ec2:DescribeInstances command does not support resource-level permissions. This means that you must specify * as the Resource in the IAM policy statement. If you specify anything other than * for Resource, then authorization will fail (as you've already seen).
This means that you cannot "hide" instances from certain IAM users. Either an IAM user will see all instances, or none.
Please see the following document for a list of commands that support resource-level permissions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968850%2faws-group-inline-policy-limit-access-for-specific-resources-with-tags%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The ec2:DescribeInstances command does not support resource-level permissions. This means that you must specify * as the Resource in the IAM policy statement. If you specify anything other than * for Resource, then authorization will fail (as you've already seen).
This means that you cannot "hide" instances from certain IAM users. Either an IAM user will see all instances, or none.
Please see the following document for a list of commands that support resource-level permissions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
add a comment |
The ec2:DescribeInstances command does not support resource-level permissions. This means that you must specify * as the Resource in the IAM policy statement. If you specify anything other than * for Resource, then authorization will fail (as you've already seen).
This means that you cannot "hide" instances from certain IAM users. Either an IAM user will see all instances, or none.
Please see the following document for a list of commands that support resource-level permissions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
add a comment |
The ec2:DescribeInstances command does not support resource-level permissions. This means that you must specify * as the Resource in the IAM policy statement. If you specify anything other than * for Resource, then authorization will fail (as you've already seen).
This means that you cannot "hide" instances from certain IAM users. Either an IAM user will see all instances, or none.
Please see the following document for a list of commands that support resource-level permissions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
The ec2:DescribeInstances command does not support resource-level permissions. This means that you must specify * as the Resource in the IAM policy statement. If you specify anything other than * for Resource, then authorization will fail (as you've already seen).
This means that you cannot "hide" instances from certain IAM users. Either an IAM user will see all instances, or none.
Please see the following document for a list of commands that support resource-level permissions: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-iam-actions-resources.html
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
answered May 26 at 2:44
Matt HouserMatt Houser
7,9791519
7,9791519
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968850%2faws-group-inline-policy-limit-access-for-specific-resources-with-tags%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
