1

I created an AWS IAM Role and it included the following 

           AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement: 
            - 
                Effect: "Allow"
                Principal: 
                    Service: 
                        - "ec2.amazonaws.com"
                Action: 
                    - "sts:AssumeRole"
                Condition:
                    StringEquals:
                        ec2:ResourceTag/AppCode: !Sub "${AppCode}"

I verified that my EC2 does contain tag AppCode and it had the value passed in to the CloudFormation.

After associating the Role with the EC2, I was not able to see the role when running 'aws configure list' on the EC2.

After removing the above condition it worked immediately! 'aws configure list' returned the correct results.

What is the correct why to prevent a Role from being associated with EC2 instances, unless they have a specific tag with a specific value?

Thanks

Jared
  • 596
  • 9
  • 19
  • Are you talking about 2 distinct roles? Would it be 1 associated role to prevent instances to invoke `AssumeRole` on another existing role? Because after you associate a role to an EC2 instance, that role is already "assumed" by the EC2 instance. Not sure what you want to achieve. – jweyrich Mar 27 '19 at 20:20
  • I would like to create a role with a policy attached and an associated InstanceProfile. This instance-profile (or its associated role) would only be able to to be associated with EC2 instances that have specific tag key=value. – Jared Mar 29 '19 at 17:54

1 Answers1

1

I'm not sure if what you describe is possible, but please keep exploring!

Your policy is saying "Allow the EC2 service to call AssumeRole if the has a particular tag".

The official way to control whether an EC2 instance can be assigned a role is to grant iam:PassRole to the IAM entity that is launching the instance.

If somebody does not have iam:PassRole, then they cannot specify a role when launching an instance. If you want them to be able to use a particular role, you can grant them iam:PassRole for a specific Role, which they can then use when launching an instance.

This method grants the IAM User/Group/Role the permission to select a Role, rather than controlling permissions based on the instance (that doesn't necessarily even exist yet).

John Rotenstein
  • 165,783
  • 13
  • 223
  • 298
  • Thanks John. I would like the entity launching the instance to have iam:PassRole, but the roles able to be assigned to an EC2, are restricted based on EC2 tags. – Jared Mar 29 '19 at 17:58