0

With the following policy in AWS IAM:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/project": "projectA"
                }
            },
            "Resource": [
                "arn:aws:ec2:your_region:your_account_ID:instance/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:eu-west-1:REMOVED:instance/i-REMOVED"
            ]
        }
    ]
}

I'm able to start/stop based on the resource set to a specific instance ID. The action of DescribeInstances, on the other hand, which I would like to limit to EC2 assets tagged with "project=projectA" doesn't seem to work.

I've tried to list them with aws cli as:

aws ec2 describe-instances --filters Name=tag:project,Values=projectA

And the tag is in fact added to the EC2 asset in question.

Any tips/recommendations?

P.S.: I've also tried setting the resource in the describeinstances part as *, and still no go.

t988GF
  • 111
  • 3
  • Your question is really unclear. If you try to explain what you're trying to do someone may be able to come up with a workaround or an idea. – Tim Apr 13 '17 at 18:41
  • I agree -- your question is not very clear. Are you saying that you want an AWS CLI command that filters by Tag, and it is not working? Are you also saying that you'd like to allow a user to call DescribeInstances only on instances with a certain tag? – John Rotenstein Apr 26 '17 at 00:47

1 Answers1

1

Closing this question, as it appears that conditions are not supported by DescribeInstances.

No resource limiting is permitted by DescribeInstances (tags, specific instances IDs, etc).

t988GF
  • 111
  • 3
  • Just wanted to leave here a link to the official page where this is documented. Admittedly, it's a huge table and not that easy to understand, but sadly in it neither `aws:ResourceTag` nor `ec2:ResourceTag` filters are listed for `DescribeInstances`. https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html – dlouzan Mar 31 '23 at 15:43