DEV Community


AWS IAM Self Tagging EC2 Instances

Joe Block
I'm an SRE in Denver. Bit of a foodie. Not interested in moving. Not interested in giving up my remote gig.
Originally published at on ・1 min read

For a variety of reasons, I needed to enable some EC2 instances to write/update a single EC2 tag, but the instaces needed to only be able to tag themselves.

This was more annoying than I expected, so I'm documenting the IAM policy here.

  "Version": "2012-10-17",
  "Statement": [
          "Effect": "Allow",
          "Action": [
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "aws:ARN": "${ec2:SourceInstanceARN}"
              "ForAllValues:StringEquals": {
                  "aws:TagKeys": "THAT_ONE_ALLOWED_TAG"
Enter fullscreen mode Exit fullscreen mode

Some notes:

  1. The AWS IAM editor in the webui will complain about SourceInstanceARN. Ignore it and click next anyway.
  2. Then it will complain that the policy doesn't add any permissions. It lies. Ignore it and save the policy.

You can attach this policy to an IAM role and the instances will then be able to tag themselves, but only with the THAT_ONE_ALLOWED_TAG tag.

Discussion (0)