You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 15, 2023. It is now read-only.
You are correct that this policy doesn't do what it says. As it was written, it will allow only IAM actions. I updated the policy to specify the action "iam:*" to match the iam:ResourceTag condition key. IAM doesn't support the aws:ResourceTag condition key. I also updated the description above the policy.
There are several reasons that I chose to update the action instead of the condition:
We are trying to remove all examples of "Action": "*" from the documentation unless it's truly necessary. We have learned that customers are copy/pasting policies like this one and changing or removing conditions and creating policies that allow far too many permissions.
It would take a lot of testing and/or digging through the Actions, Resources, and Condition Keys for AWS Services automated documentation pages to learn which services support the aws:ResourceTag condition key, and for which resources or actions.
IAM supports iam:ResourceTag, but not aws:ResourceTag. We're one of those naughty services that doesn't support all of the global tag-related condition keys yet.
On https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
it refers to a policy variable
iam:ResourceTag
this can be seen on github at https://github.com/awsdocs/iam-user-guide/blame/80a7667b32d3c20a8813b8c059f2b2b27cae74c8/doc_source/reference_policies_variables.md#L202That variable should instead be
aws:ResourceTag
as defined at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.htmlThe text was updated successfully, but these errors were encountered: