It seems like there are 50 posts about limiting users to resources by the resource tag. But I think what I am missing is if it possible within the console. I have a Amazon directory service up and running with a awsapps.com/console site for logging in. I have a few test users within my IAM role where the policy is as follows. I want a user who logs in to only see the resources with the appropriate tag. This works in simulation, but does not in the console. I get an a error of "An error occurred fetching instance data: You are not authorized to perform this operation.".
So is it possible to limit on tag in the console? I know it is in the CLI.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticmapreduce:*",
"ec2:*",
"cloudwatch:*",
"s3:*",
"sdb:*",
"iam:PassRole",
"iam:ListRoles"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/critical": "true"}
}
}
]
}
Aucun commentaire:
Enregistrer un commentaire