问题
When trying to configure which instances can be listed using policies, I remark the following issue:
- When the condition is not implemented, all instances are visible.
- When any condition is implemented, nothing is visible.
The example policy with condition is included:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1461235889000",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType": "r3.xlarge"
}
}
}
]
}
What is wrong here?
回答1:
The ec2:DescribeInstances action does not support resource-level permissions or applying conditions.
From the linked documentation above:
...to use these actions in an IAM policy, you must grant users permission to use all resources for the action by using a * wildcard for the Resource element in your statement. You cannot use Amazon EC2 condition keys for these actions.
So your usage of the * wildcard without a condition is valid, but applying any condition (as of this writing) will unfortunately not work as expected.
Further Reading:
- Supported Resource-Level Permissions for Amazon EC2 API Actions
来源:https://stackoverflow.com/questions/36767975/why-does-applying-a-condition-to-ec2describeinstances-in-an-iam-policy-fail