CODEWITHSUNDEEP
amazon-web-servicesamazon-iam
Josh
Josh

Reputation: 966

Use tags inside IAM policy resource

Can I use string interpolation for the Resource key of IAM statements? I am trying to grant access to a bucket based on the team a user is tagged as.

This statement does not work

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::${aws:PrincipalTag/team}.example.com"
        }
    ]
}

If I replace ${aws:PrincipalTag/team} with a hardcoded team name it works as expected.

Upvotes: 3

Views: 1676

Answers (1)

Ben Bloom
Ben Bloom

Reputation: 521

You can accomplish this by using conditional keys in either the iam role/user's policy or the s3 bucket policy.

IAM Policy

For using conditional keys in the iam policy, you will need to add a statement that limits the users s3 actions to resources that have been tagged with a particular resource tag. This will prevent the user from access s3 objects that do not have a particular tag. One problem that you may discover is that you will then need to make sure all objects you wish to interact with are also tagged.

Example of a iam policy:

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws: aws:ResourceTag/owningTeam": "team1"
            }
        }
    }]
}

s3 Bucket Policy

For using conditional keys in the s3 bucket policy, you will need to add a statement that limits access to the bucket to users/roles with a particular principal tag. The user will still need to have permissions to perform s3 actions, but the resource policy will restrict the access. In addition to condition keys, you can also limit based on the user/role arn.

Example of a bucket policy:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action":"s3:GetObject",
            "Resource": "arn:aws:s3:::awsexamplebucket1/*",
            "Condition" : {
                "StringEquals" : {
                    "aws:PrincipalTag/team": "team1" 
                }
            } 
        } 
    ]
}

Since you ultimately want to leverage the tags on the principal, I'd recommend the bucket policy approach.

Resources:

Upvotes: 4

Related Questions