Joe Block

Posted on Jun 13, 2021 • Originally published at unixorn.github.io on Jun 13, 2021

AWS IAM Self Tagging EC2 Instances

#iam #ec2 #aws

For a variety of reasons, I needed to enable some EC2 instances to write/update a single EC2 tag, but the instaces needed to only be able to tag themselves.

This was more annoying than I expected, so I'm documenting the IAM policy here.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "ec2:DeleteTags",
              "ec2:CreateTags",
              "ec2:DescribeInstances"
          ],
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "aws:ARN": "${ec2:SourceInstanceARN}"
              },
              "ForAllValues:StringEquals": {
                  "aws:TagKeys": "THAT_ONE_ALLOWED_TAG"
              }
          }
      }
  ]
}

Some notes:

The AWS IAM editor in the webui will complain about SourceInstanceARN. Ignore it and click next anyway.
Then it will complain that the policy doesn't add any permissions. It lies. Ignore it and save the policy.

You can attach this policy to an IAM role and the instances will then be able to tag themselves, but only with the THAT_ONE_ALLOWED_TAG tag.

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.