For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do the PrincipalTag, ResourceTag, RequestTag, and TagKeys condition keys control access in IAM policies?
I want to use PrincipalTag, ResourceTag, RequestTag, and TagKeys tag-based condition keys in an AWS Identity and Access Management (IAM) policy to control access to AWS resources.
Resolution
The following IAM example policies use condition keys to control access to AWS resources with tags.
To determine the API actions that you can complete, it's a best practice to review API documentation for the service that you use.
PrincipalTag condition key
Use the aws:PrincipalTag/tag-key condition key to compare the following tags:
- The tag that's attached to the principal that makes the request
- The tag that you specify in the IAM policy
In the following example, the Amazon Simple Storage Service (Amazon S3) PutObject action denies bucket access to all users except those with the title Product-Manager:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyAllButProductManagers", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::productionbucket/*" ], "Condition": { "StringNotEquals": { "aws:PrincipalTag/job-title": "Product-Manager" } } } ] }
ResourceTag condition key
Use the aws:ResourceTag/tag-key condition key to compare the tag key-value pair that's specified in the IAM policy with the key-value pair that's attached to the AWS resource. For more information, see Controlling access to AWS resources.
You can use the condition key aws:ResourceTag/tag-key with the global version aws:ResourceTag and AWS services, such as ec2:ResourceTag.
In the following example, the IAM policy allows users to start, stop, and terminate Amazon Elastic Compute Cloud (Amazon EC2) instances that are in the test environment:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowOnlyForTestEnvironment", "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ec2:ResourceTag/Env": "test" } } } ] }
RequestTag condition key
Use the aws:RequestTag/tag-key condition key to compare the key-value pair in the user request with the tag pair that's specified in the IAM policy. You can use this condition key to control actions that create resources and to validate tags during these operations.
In the following example, the IAM policy allows users to create Amazon Elastic Block Store (Amazon EBS) volumes only when they include an Env tag with values Dev, Prod, or QA:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreateVolumeWithEnvTag", "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": { "aws:RequestTag/Env": [ "Dev", "Prod", "QA" ] } } } ] }
TagKeys condition key
Use the condition key aws:TagKeys to compare the tag keys in a request with those that you specify in the IAM policy. This condition key validates tag keys that are attached to a resource.
When a request contains multiple key-value pairs, use the ForAllValues or ForAnyValue set operators to compare these values.
In the following example, the IAM policy restricts tag creation on AWS resources. It allows users to create only the Env and CostCenter tags when users create a new Amazon EBS volume. The ForAllValues set operator with aws:TagKeys condition key allows users to attach the required tags to the resource. The policy makes these tag keys optional during resource creation and prevents tag creation with other key-value pairs:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:CreateVolume", "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "Env", "CostCenter" ] } } } ] }
Related information
IAM tutorial: Define permissions to access AWS resources based on tags
- Language
- English
It is important to remind NOT to use resourceTag condition for pass-role permission. Quote:
Do not try to control who can pass a role by tagging the role and then using the ResourceTag condition key in a policy with the iam:PassRole action. This approach does not have reliable results.
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 10 days ago
