I'm currently creating a AWS stack with CDK. I defined a policy for the user that deploys the stack to have the correct permissions. In CDK I tag my ressources with:
const app = new cdk.App();
const scheme = new MyTemplateStack(app, 'MyTemplateStack');
cdk.Tag.add(scheme, 'Team', 'myTeamName');
I want to use the conditional policy to allow my user to have the permissions to only modify or delete the ressources that are tagged with the correct team:
So here is an example of policy that I need to deploy my stack with the condition:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RevokeSecurityGroupIngress",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Team": "myTeamName"
}
}
}
But when I try to deploy my stack again, I get the following error saying that I'm not authorized:
API: ec2:RevokeSecurityGroupEgress You are not authorized to perform this operation
I've been through the documentation but I don't understand why that doesn't work.
Thanks for helping!
It looks to me that you are allowing ec2:RevokeSecurityGroupIngress
, however trying to invoke ec2:RevokeSecurityGroupEgress
operation. Could you verify and confirm?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.