iam:ResourceTag -> aws:ResourceTag

[0xdabbad00]

On https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
it refers to a policy variable iam:ResourceTag this can be seen on github at https://github.com/awsdocs/iam-user-guide/blame/80a7667b32d3c20a8813b8c059f2b2b27cae74c8/doc_source/reference_policies_variables.md#L202

That variable should instead be aws:ResourceTag as defined at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html

[stephswo]

You are correct that this policy doesn't do what it says. As it was written, it will allow only IAM actions. I updated the policy to specify the action "iam:*" to match the iam:ResourceTag condition key. IAM doesn't support the aws:ResourceTag condition key. I also updated the description above the policy.

There are several reasons that I chose to update the action instead of the condition:

1. We are trying to remove all examples of "Action": "*" from the documentation unless it's truly necessary. We have learned that customers are copy/pasting policies like this one and changing or removing conditions and creating policies that allow far too many permissions.
2. It would take a lot of testing and/or digging through the Actions, Resources, and Condition Keys for AWS Services automated documentation pages to learn which services support the aws:ResourceTag condition key, and for which resources or actions.
3. IAM supports iam:ResourceTag, but not aws:ResourceTag. We're one of those naughty services that doesn't support all of the global tag-related condition keys yet.