IAM policy condition that request for key with any value

Question

I have a working IAM policy that allow users to create EBS devices only if given tags are there, now it has set of predefined input list but my requirement is that I want to check for key, not for value, so the question is: can we have a key with any user input value that we can accept?

If the tag key is used like "aws:RequestTag/Environment": ["dev", "stage", "prod"] then it works, but I need a solution where I can pass any value at the time of EBS creation, and that should be accepted by the IAM policy.

"Condition": {
    "StringEquals": {
        "aws:RequestTag/owner": ["*"],
        "aws:RequestTag/Environment": ["dev", "stage", "prod" ]
    },
    "ForAllValues:StringEquals": {
        "aws:TagKeys": ["Environment]
    },
    "ForAnyValue:StringEquals": {
        "aws:TagKeys": ["owner"]
    }
}

How we can give accept any value for given key?

Answer 1

A tag with any value = deny the request without this tag.

So you can just add another statement to deny the request if the tag does not exist.

A Null condition operator checks if a condition key is present at the time of authorization. The key inside the Null condition can take either true or false as its value:

1. True: the key doesn't exist, so the expression evaluates to null and the condition returns true.
2. False: the key exists, and its value is not null. The condition fails.

So you need three statements to implement this logic:

• Allow the action explicitly.
• Deny the action if the tag is missing.
• Deny the action if the tag is empty.

{
   "Sid": "AllowTheActionHere",
   ...
},
{
    "Sid": "EnforceOwnerTag",
    ...
    "Effect": "Deny",
    "Condition": {
        "Null": {"aws:RequestTag/owner": "true"}
    }
},
{
    "Sid": "PreventEmptyOwnerTag",
    ...
    "Effect": "Deny",
    "Condition": {
        "StringLike": {
            "aws:RequestTag/owner": ""
        }
    }
}