IAM CodeBuild policy condition - principal tag equals resource tag

1
votes

Goal:

Create an IAM role policy that allows the role to perform defined actions on aws resources only if the role tag equals the resource tag.

For example:

IAM tag:

foo=bar

CodeBuild project tag:

foo=bar

IAM role policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:List*",
                "codebuild:DescribeTestCases",
                "codebuild:DescribeCodeCoverages",
                "codebuild:BatchGet*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/foo": "${aws:PrincipalTag/foo}"
                }
            }
        }
    ]
}

When the user assumes the role, the user is denied access to codebuild:ListProjects on projects that have the same foo=bar key pair as the role within the AWS console and AWS CLI.

AWS console error:

User: arn:aws:sts::123456789:assumed-role/example-role/example-user is not authorized to perform: codebuild:ListProjects

AWS CLI error using the command: aws codebuild list-projects --profile test

An error occurred (AccessDeniedException) when calling the ListProjects operation: User: arn:aws:sts::123456789:assumed-role/example-role/botocore-session-59458209 is not authorized to perform: codebuild:ListProjects

Attempts:

#1

Use actual key pair value in policy condition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:List*",
                "codebuild:DescribeTestCases",
                "codebuild:DescribeCodeCoverages",
                "codebuild:BatchGet*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/foo": "bar"
                }
            }
        }
    ]
}

Result to codebuild:ListProjects access denied error on aws console

#2

Remove aws key brackets from aws:PrincipalTag/foo(shooting from the hip here)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:List*",
                "codebuild:DescribeTestCases",
                "codebuild:DescribeCodeCoverages",
                "codebuild:BatchGet*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/foo": "aws:PrincipalTag/foo"
                }
            }
        }
    ]
}

#3

Used the resource type within the resource tag condition codebuild:ResourceTag/foo

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:List*",
                "codebuild:DescribeTestCases",
                "codebuild:DescribeCodeCoverages",
                "codebuild:BatchGet*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "codebuild:ResourceTag/foo": "${aws:PrincipalTag/foo}"
                }
            }
        }
    ]
}

Same codebuild:ListProjects access denied error on aws console

1
amazon-web-servicesamazon-iam
Aws cli also results in access denied? Or is it only for aws console?Marcin
@Marcin Access denied in both AWS console and CLIMarshallm

1 Answers

1
votes

From docs:

CodeBuild supports authorization based on tags for project-based actions

I think ListProjects action is not project-based. It is for entire codebuild, rather then for a specific project.