以互联网上的RunInstance和ec2:CreateTag+ec2:CreateAction为例,我试图只允许在创建过程中设置了特定标记(此输出中不存在(的情况下执行以下操作
如果我尝试了一些测试,那么当我尝试创建带有标记的安全组时,总会出现错误
我试图找到ec2:CreateAction文档,看看它会期望什么参数,但遗憾的是,我在AWS官方文档中的每一次搜索都几乎一无所获。
有人知道我做错了什么吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:CreateAction": [
"RunInstances",
"CreateRouteTable",
"CreateKeyPair",
"CreateRoute",
"CreateVolume",
"CreateNetworkInterface",
"CreateSecurityGroup",
"CreateSnapshot",
"CreateVpcPeeringConnection",
"CreateSubnet",
"CreateVPC",
"AllocateAddress"
]
}
}
}
]
}
您必须创建三个规则;还需要设置VPC权限:
{
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:0123456789:vpc/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "arn:aws:ec2:*:0123456789:security-group/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/tagkey": "tagvalue"
},
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"tagkey"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:0123456789:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction" : "CreateSecurityGroup"
}
}
}