- Newest
- Most votes
- Most comments
The aws:RequestTag
condition key is used to control access based on the tags associated with the AWS request, not the resource (in this case, the ECS task). In the ECS context, tasks don't have tags associated with the request itself.
Instead, you can use the aws:ResourceTag
condition key to control access based on the tags associated with the ECS task. Here's how you can modify your IAM policy to achieve this:
Policies: - PolicyName: AllowTaskToRetrieveS3File PolicyDocument: Statement: - Effect: Allow Action: - 's3:ListBucket' Resource: - 'arn:aws:s3:::esolang-worker' - Effect: Allow Action: - 's3:GetObject' Resource: - 'arn:aws:s3:::esolang-worker/0123456789/code' Condition: StringEquals: 'aws:ResourceTag/Status': 'OK'
In this updated policy, the aws:ResourceTag/Status
condition key checks for the Status
tag on the ECS task itself. If the task has a tag with the key Status
and value OK
, it will be granted access to the S3 object s3://esolang-worker/0123456789/code
.
To tag your ECS task, you need to add the tag to the task definition. You can do this by modifying the ECSTestTaskDefinition
resource in your CloudFormation template:
ECSTestTaskDefinition: Type: 'AWS::ECS::TaskDefinition' Properties: TaskRoleArn: !GetAtt ECSTestTaskRole.Arn ExecutionRoleArn: !GetAtt ECSTestExecutionRole.Arn ContainerDefinitions: # ... (container definitions) Family: ecs-test Cpu: 256 Memory: 512 NetworkMode: awsvpc RequiresCompatibilities: - FARGATE RuntimePlatform: OperatingSystemFamily: LINUX Tags: - Key: Status Value: OK
With this configuration, any ECS task created from the ECSTestTaskDefinition
will have the Status: OK
tag, and the IAM policy will grant access to the S3 object based on this tag.
Note that tags are associated with resources at the time of creation, so if you need to change the tags on an existing task, you'll need to update the task definition and update your service or run a new task using it.
Have you tried with that counterpart translation of
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Env",
"CostCenter"
]
}
}
?
Reference: https://repost.aws/knowledge-center/iam-tag-based-restriction-policies
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 14 days ago
I tried the following configuration, but the result is that the access to S3 is allowed for the tasks with any value of
Status
tag.