leedm777

Asked: 2020-03-24 11:21:44 +0800 CST2020-03-24 11:21:44 +0800 CST 2020-03-24 11:21:44 +0800 CST

Can an instance profile's condition reference EC2 instance's tags?

I'm trying to setup an instance profile for an EC2 instance that limits its access to a particular path within an S3 bucket, based on the Name tag of that EC2 instance. I've gotten a policy that's close, but still doesn't work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "arn:aws:s3:::some-bucket",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "${aws:PrincipalTag/Name}/*"
                    ]
                }
            }
        }
    ]
}

Turns out that in the case of IAM roles for EC2, the principal is the role itself; not the EC2 instance. Is there any way to use the tags from the EC2 instance in the policy document?

Can an instance profile's condition reference EC2 instance's tags?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Can an instance profile's condition reference EC2 instance's tags?

0 Answers