0
votes

I have the following IAM Role:

  • AmazonEC2FullAccess
  • Custom-Policy

In my custom policy I have:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "iam:ListRoles",
        "Resource": "*",
        "Condition": {
            "IpAddress": {
                "aws:SourceIp": "10.0.0.0/16"
            }
        }
    }
]
}

Then I create a new EC2 instance and attach this role to it.

Inside the EC2 Instance I try to do:

aws iam list-roles

But I get this error:

An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:sts::XXXXXXX:assumed-role/My-Role/i-XXXXXX is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::XXXXXXX:role/

Do you have an idea why it's not working, please? thanks.

PS: The EC2 instance's IP is 10.0.0.XX

1
That is not the IP IAM sees. You can confirm it by removing the IP address condition. And maybe instead use the public IP of your EC2 instance for your condition.asr9
What were you wanting to control by adding the IP restriction? Are you worried about the role being used elsewhere, or by other people?John Rotenstein
Thank you guys, it makes sense, and it worked!Akram Fares

1 Answers

1
votes

The IAM API lives on the Internet. Thus, when it receives your request, it will be coming from the IP address of the instance. IAM never sees the private IP address of the instance.

In theory, the IP address restriction should not be necessary because the role can only be used on instances where it has been assigned. You should put security on who can use the role (iam:PassRole), rather than from where the role can be used.