i hope you can help me out. I have read a couple of docs now, and I am still unsure whether this actually works.
I want to give access in different levels to AWS users based on S3 tags.
Example:
- S3 bucket
mybucket
has tags {"access-team-dev": "rwd"}
, which should lead to the "dev" team having "read, write, delete" access.
- one tag for each team, the value is the access level.
I have tried at least 10 different combinations of this IAM policy:
[
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["list","ro","rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["ro","rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["rwd"]}
},
"Effect": "Allow",
"Resource": "*"
}
]
... but nothing works.
That policy is assigned to the user via a IAM group, the test bucket is tagged with "access-team-dev": "rwd".
Two questions:
- does that work at all??
- if yes, what am i doing wrong???
Really frustrating, cause according to the docs - if I read them correctly - this should work, right?
Thanks for all answers in advance!