3

I'm attempting to run New-EC2Tag, getting the following error:

New-EC2Tag : You are not authorized to perform this operation.

The user policy is as follows:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Action": ["ec2:DescribeInstances","ec2:CreateTags"],
        "Resource": "arn:aws:ec2:ap-southeast-2:<my_account_id>:instance/*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/OctopusTentacle": "yes"
            }
        }
    }
    ]
}

It works fine in the Policy Simulator as above.

If I remove the condition and set Resource to * it works. Removing the condition or setting Resource to * alone do not work. I am running this as local Administrator on the instance.

What else is New-EC2Tag accessing/doing that I need to grant access to?

Anthony Neace
  • 25,013
  • 7
  • 114
  • 129
user3592036
  • 31
  • 1
  • 2

1 Answers1

2

If New-EC2Tag works when clearing the Condition and wildcarding the Resource, then we should be inspecting both of those.

From some investigation, New-EC2Tag's related API action is CreateTags. According to Supported Resources and Conditions for Amazon EC2 API Actions, some API actions do not support ARNs. This seems to be the case with CreateTags, as it requests that you specify a resource ID instead. This is also corraborated by the "Supported Resources..." documentation I linked above, which does not list CreateTags as supporting arns.

In this case, the documentation recommends that you set the policy as such:

If the API action does not support ARNs, use the * wildcard to specify that all resources can be affected by the action.

So that leaves the condition... the tag. The tag that you are using as a condition needs to already exist on the instance for the policy to be applied as you expect. An example from the policy simulator, where the tag already exists:

DescribeTags and DescribeInstances are allowed.

Another consideration is that the action may likewise not support conditions, but I haven't found anything to back that up.

Anthony Neace
  • 25,013
  • 7
  • 114
  • 129
  • Thanks Anthony. It works in the Simulator with arn and condition, but on further investigation neither work when calling create-tags via CLI either. Error as follows: 'A client error (UnauthorizedOperation) occurred when calling the CreateTags operation: You are not authorized to perform this operation.' – user3592036 May 05 '14 at 05:40
  • 2
    Anthony is correct that permissions for some EC2 actions support resources and others don't. Per the EC2 docs, "[...] because you can't tag a resource when you create it, you can't use any of the tag condition keys with a resource that's created by an action. (We'll add support for tagging a resource at creation in 2014.)" (http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html) Is this addressing your question? I hope. – mike May 08 '14 at 13:45
  • 2
    Also, there's a blog post on the AWS Security Blog that walks through the process of building up a policy for EC2 access that threads its way through actions that do and don't support resource-level permissions. Dunno if that would be helpful: http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions – mike May 08 '14 at 13:46