AWS IAM Policy for elasticloadbalancing:DescribeTargetHealth

Question

I am trying to run this cli on a target group:

aws elbv2 describe-target-health

This IAM policy doesn't work:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1497933736509",
      "Action": [
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:elasticloadbalancing:::*"
    }
  ]
}

Error message:

An error occurred (AccessDenied) when calling the DescribeTargetHealth operation

This works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1497933977893",
      "Action": [
        "elasticloadbalancing:DescribeTargetHealth"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

Question: why do I have to use * to include all AWS resources? Did I miss anything obvious here?

score 3 · Accepted Answer · answered Jun 20 '17 at 08:41

In some circumstances, paths in ARNs can include a wildcard character or an asterisk (*). But you cannot use a wildcard in the portion of the ARN that specifies the resource type. What does it mean?

You can specify "all users":

"Resource": "arn:aws:iam::123456789012:user/*"

You can specify "all S3 buckets":

"Resource": "arn:aws:s3:::*"

You can specify "all AWS resources":

"Resource": "*"

The list of valid ARNs is documented at ARNS and AWS Service Namespaces page. In case of ELB/ALB service, the only allowed ARNs and resources are:

arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
arn:aws:elasticloadbalancing:region:account-id:listener/app/load-balancer-name/load-balancer-id/listener-id
arn:aws:elasticloadbalancing:region:account-id:listener-rule/app/load-balancer-name/load-balancer-id/listener-id/rule-id
arn:aws:elasticloadbalancing:region:account-id:targetgroup/target-group-name/target-group-id
arn:aws:elasticloadbalancing:region:account-id:loadbalancer/name

In documentation, ARN components in red color are the ones which you can play with. In case of ELB/ALB service, you can specify your own region, account-id, ELB name, target-group-name/target-group-id etc. etc. But you can't write something like you tried as this is not a valid ARN:

"Resource": "arn:aws:elasticloadbalancing:::*"

AWS IAM Policy for elasticloadbalancing:DescribeTargetHealth

1 Answers1