Reputation: 21
Using aws:ResourceTag in conditions on an IAM policy for lambda functions does not work
I need a role assigned to developers to only be able to read lambda functions that have specific tags.
To do this, I have assigned the following tags on all resources:
| Tag | Value |
|---|---|
| team | developers, devops, etc... |
| environment | dev, stg, prod |
The team tag can have multiple teams, separated by a space, as multiple teams can take ownership of the same resource.
- Example 1:
team: developers - Example 2:
team: developers devops finance
Following the AWS documentation which shows that it is possible to grant access by tags (although with partial support as there are actions that do not allow it), I created the following policy for the IAM role assigned to developers, including the conditions of the tags:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadingFunctionsByTags",
"Effect": "Allow",
"Action": [
"lambda:ListTags",
"lambda:GetFunction"
],
"Resource": "*",
"Condition": {
"StringLike": { "aws:ResourceTag/team": "*developers*" },
"StringEquals": { "aws:ResourceTag/environment": [ "dev" , "stg" ] }
}
},
{
"Sid": "ListAllFunctions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetAccountSettings"
],
"Resource": "*"
}
]
}
Finally, to test it, I have assumed the role where the policy is assigned on the AWS Console.
I was expecting that I could see the function without errors, however, the following error is displayed:
User: arn:aws:sts::[REDACTED]:assumed-role/lambda_role/[REDACTED] is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-central-1:[REDACTED]:function:[LAMBDA NAME] because no identity-based policy allows the lambda:GetFunction action
I also tried the following:
- Limiting to an specific resource without conditions: Works.
- Limiting to an specific resource with conditions: Not working.
- Using only the team tag: Not working.
- Using only the environment tag: Not working.
- Using StringEquals on the team tag, with a resource with only one team: Not working.
- Adding all Lambda read and list actions that support Conditions on "AllowReadingFunctionsByTags": Not working.
- Using
arn:aws:lambda:*:*:function:*as a resource selector: Not working.
Also, the IAM Policy Simulator shows the following, depending on the inputs.
What is wrong with the policy and how can I further debug it?
Upvotes: 1
Views: 814
Answers (1)
Reputation: 21
After we talked with AWS support, they found that there is a feature regarding filtering with tags that is disabled on old accounts, to prevent breaking things. This feature block is not set on new accounts.
To fix this issue, you'll need to contact AWS Support.
Upvotes: 1
Related Questions
- Why can't I put wildcard to invoke a lambda function in IAM policy?
- IAM policy and aws:RequestTag behaves differently as (to what I) expected
- AWS IAM policy restriction based on Tags not giving me any access
- Use tags inside IAM policy resource
- Granting access to AWS Lambda resources that have a given tag
- IAM Policy with `aws:ResourceTag` not supported
- AWS IAM Role Policy Resource Restriction
- IAM Policy using Condition ec2:ResourceTag not working
- AWS IAM Policy: Tag only untagged resources
- EC2 IAM Policy not working with ResourceTag