IAM Policy not working when condition block is added

Question

I'm experiencing a strange issue regarding IAM policy! I want to limit RDS access to specific IAM roles for different environments, the policy works fine until I add conditions!!

    "Statement": [
        {
            "Action": "rds:*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "rds:db-tag/Environment": "dev"
                }
            },
            "Resource": "*",
            "Sid": "RdsAccess"
        }
    ],
    "Version": "2012-10-17"
}

Screenshoot of RDS service

However, when I remove the condition, the policy works just fine. You can see AWS services' conditions keys from the official AWS documentation here: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html

You need to explicitly grant the describedbclusters:* and describedbinstances:* because tag based conditions do not work on these kind of actions. — luk2302, Aug 26 '22 at 09:35
What did you try, how did that not work? The grants to those two actions must not have a condition on them. What did your policy look like in that case and what error did you get? — luk2302, Aug 26 '22 at 09:50
No, I tried with the condition because I need to show only the databases from one specific environment, not all of them. — Vehbi Restelica, Aug 26 '22 at 09:55
That is not possible, in most / all AWS services. The list/listing type of actions can only be granted or not, no in between middle ground of listing just *some*. You can restrict actions on individual instances based on conditions, but you cannot hide them during listing. Not 100% sure for rds but I would assume this is the case here as well. — luk2302, Aug 26 '22 at 09:57
Yes, what I need is: to manage RDS databases from one environment, and only see RDS databases from other environments — Vehbi Restelica, Aug 26 '22 at 10:08
Might be true but does not matter if AWS simply does not support that. — luk2302, Aug 26 '22 at 10:16
IAM policy conditions do not cause resource lists, e.g. the output from RDS DescribeDBInstances, to be filtered. That action has no supported conditions. — jarmod, Aug 26 '22 at 13:36

furydrive · Answer 1 · 2022-08-26T15:16:09.070

0

The condition value needs to be

"rds:db-tag/Environment": ["dev"]

In other words the tag key values are expected in an array.

Added reference,

edited Aug 26 '22 at 15:16

answered Aug 26 '22 at 11:43

furydrive

372
2
5

my friend... yes I am sure! – furydrive Aug 26 '22 at 13:58
Do you have any evidence for this? The [policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html) says: "If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional." So, if it did allow an array of values (which is not clear at present) and you only supplied one, the brackets would be optional. – jarmod Aug 26 '22 at 14:06
added evidence. If you do not supply an array value then you need to omit the space after the resolve operator in case of a single key value. So that would be `"rds:db-tag/Environment":"dev"` – furydrive Aug 26 '22 at 15:18
@jarmod ${TagKey} refers to the Key and here the solution I posted refers to how you provide the value in the policy since providing the tag key was done correctly by the OP, do not see how your questions are relevant to this answer? – furydrive Aug 26 '22 at 15:22
1

I'll try this if I have time. I would be surprised if "you need to omit the space after the resolve operator [presume you mean the name-separator colon] in case of a single key value". In the [JSON spec](https://www.rfc-editor.org/rfc/rfc7159), any amount of insignificant whitespace is allowed either side of name separators. – jarmod Aug 26 '22 at 16:18
1

Thank you for your comments! Hey, furydrive, @jarmod is correct, if we have a single key value, the brackets are optional. However, I've tried also with brackets, but same result... – Vehbi Restelica Aug 30 '22 at 08:30

IAM Policy not working when condition block is added

1 Answers1