In an attempt to give an instance access to a specific folder in an s3 bucket, I've got this in a policy:
"Resource": "arn:aws:s3:::My_Bucket/db_backups/${aws:ResourceTag/Name}/*"
It doesn't work. Documentation for using tags like this is here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
So perhaps what I'm trying to do is not possible.
But I'd rather not create a new role for each instance that needs access to a folder. Is there some other way I can pull this off?
On
The aws:ResourceTag is not defined for S3 resources. S3 only provides the tag as a policy variable when accessing objects and it is under the variable s3:ExistingObjectTag.
I had to do this for a recent engagement and one of things that made this difficult is that not all services supply their tags as a policy variable and those that do all use different names. The aws:ResourceTag variable is only provided if the resource you are accessing is KMS and a few other services.
Regardless, I'm not sure if your statement will work. What I think you actually want is to use aws:PrincipalTag/Name — i.e. "Resource": "arn:aws:s3:::My_Bucket/db_backups/${aws:PrincipalTag/Name}/*". This will embed the Name tag of the IAM principal — user or role — that is being used to access the resource.
You can use IAM policy elements: Variables and tags - AWS Identity and Access Management to write a single policy that applies to multiple IAM Users / IAM Roles.
As shown in that documentation, using a
aws:useridvariable will insertrole-id:ec2-instance-id. Thus, the instances could be granted access to paths that match their role and instance, such as: