I created an AWS IAM Role and it included the following
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
Action:
- "sts:AssumeRole"
Condition:
StringEquals:
ec2:ResourceTag/AppCode: !Sub "${AppCode}"
I verified that my EC2 does contain tag AppCode and it had the value passed in to the CloudFormation.
After associating the Role with the EC2, I was not able to see the role when running 'aws configure list' on the EC2.
After removing the above condition it worked immediately! 'aws configure list' returned the correct results.
What is the correct why to prevent a Role from being associated with EC2 instances, unless they have a specific tag with a specific value?
Thanks