DEV Community

Joe Block
Joe Block

Posted on • Originally published at unixorn.github.io on

AWS IAM Self Tagging EC2 Instances

#iam #ec2 #aws

For a variety of reasons, I needed to enable some EC2 instances to write/update a single EC2 tag, but the instaces needed to only be able to tag themselves.

This was more annoying than I expected, so I'm documenting the IAM policy here.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "ec2:DeleteTags",
              "ec2:CreateTags",
              "ec2:DescribeInstances"
          ],
          "Resource": "*",
          "Condition": {
              "StringEquals": {
                  "aws:ARN": "${ec2:SourceInstanceARN}"
              },
              "ForAllValues:StringEquals": {
                  "aws:TagKeys": "THAT_ONE_ALLOWED_TAG"
              }
          }
      }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Some notes:

  1. The AWS IAM editor in the webui will complain about SourceInstanceARN. Ignore it and click next anyway.
  2. Then it will complain that the policy doesn't add any permissions. It lies. Ignore it and save the policy.

You can attach this policy to an IAM role and the instances will then be able to tag themselves, but only with the THAT_ONE_ALLOWED_TAG tag.

Top comments (0)

Read next

vkazulkin profile image

AWS SnapStart - Part 16 Measuring cold and warm starts with Java 21 using different asynchronous HTTP clients

Vadym Kazulkin -

ahoughro profile image

Comprehending JIRA Tickets with Amazon Bedrock

AMELIA HOUGH-ROSS -

dvddpl profile image

I failed the AWS Solutions Architect Associate exam, so what?!

Davide de Paolis -

ryanpothecary profile image

Becoming an AWS and Google Authorised Trainer

Ryan Pothecary -