DEV Community

Joe Block
Joe Block

Posted on • Originally published at on

AWS IAM Self Tagging EC2 Instances

For a variety of reasons, I needed to enable some EC2 instances to write/update a single EC2 tag, but the instaces needed to only be able to tag themselves.

This was more annoying than I expected, so I'm documenting the IAM policy here.

  "Version": "2012-10-17",
  "Statement": [
          "Effect": "Allow",
          "Action": [
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "aws:ARN": "${ec2:SourceInstanceARN}"
              "ForAllValues:StringEquals": {
                  "aws:TagKeys": "THAT_ONE_ALLOWED_TAG"
Enter fullscreen mode Exit fullscreen mode

Some notes:

  1. The AWS IAM editor in the webui will complain about SourceInstanceARN. Ignore it and click next anyway.
  2. Then it will complain that the policy doesn't add any permissions. It lies. Ignore it and save the policy.

You can attach this policy to an IAM role and the instances will then be able to tag themselves, but only with the THAT_ONE_ALLOWED_TAG tag.

Discussion (0)