Goal:
Create an IAM role policy that allows the role to perform defined actions on aws resources only if the role tag equals the resource tag.
For example:
IAM tag:
foo=bar
CodeBuild project tag:
foo=bar
IAM role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}
When the user assumes the role, the user is denied access to codebuild:ListProjects
on projects that have the same foo=bar
key pair as the role within the AWS console and AWS CLI.
AWS console error:
User: arn:aws:sts::123456789:assumed-role/example-role/example-user is not authorized to perform: codebuild:ListProjects
AWS CLI error using the command: aws codebuild list-projects --profile test
An error occurred (AccessDeniedException) when calling the ListProjects operation: User: arn:aws:sts::123456789:assumed-role/example-role/botocore-session-59458209 is not authorized to perform: codebuild:ListProjects
Attempts:
#1
Use actual key pair value in policy condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "bar"
}
}
}
]
}
Result to codebuild:ListProjects
access denied error on aws console
#2
Remove aws key brackets from aws:PrincipalTag/foo
(shooting from the hip here)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "aws:PrincipalTag/foo"
}
}
}
]
}
#3
Used the resource type within the resource tag condition codebuild:ResourceTag/foo
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"codebuild:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}
Same codebuild:ListProjects
access denied error on aws console