Elastic Load Balancing API permissions to tag resources during creation - Elastic Load Balancing

Elastic Load Balancing API permissions to tag resources during creation

For users to tag resources during creation, they must have permissions to use the action that creates the resource, such as elasticloadbalancing:CreateLoadBalancer or elasticloadbalancing:CreateTargetGroup. If tags are specified in the resource-creating action, additional authorization is required on the elasticloadbalancing:AddTags action to verify if users have permissions to apply tags to the resources being created. Therefore, users must also have explicit permissions to use the elasticloadbalancing:AddTags action.

In the IAM policy definition for the elasticloadbalancing:AddTags action, you can use the Condition element with the elasticloadbalancing:CreateAction condition key to give tagging permissions to the action that creates the resource.

The following example demonstrates a policy that allows users to create target groups and apply any tags to them during creation. Users are not permitted to tag any existing resources (they can't call the elasticloadbalancing:AddTags action directly).


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "elasticloadbalancing:CreateTargetGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
         "elasticloadbalancing:AddTags"
      ],
      "Resource": "*",
      "Condition": {
         "StringEquals": {
             "elasticloadbalancing:CreateAction" : "CreateTargetGroup"
          }
       }
    }
  ]
}

Similarly, the following policy allows users to create a load balancer and apply tags during creation. Users are not permitted to tag any existing resources (they can't call the elasticloadbalancing:AddTags action directly).


{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
         "elasticloadbalancing:CreateLoadBalancer"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
         "elasticloadbalancing:AddTags"
      ],
      "Resource": "*",
      "Condition": {
         "StringEquals": {
             "elasticloadbalancing:CreateAction" : "CreateLoadBalancer"
          }
       }
    }
  ]
}

The elasticloadbalancing:AddTags action is only evaluated if tags are applied during the resource-creating action. Therefore, a user that has permissions to create a resource (assuming there are no tagging conditions) does not require permissions to use the elasticloadbalancing:AddTags action if no tags are specified in the request. However, if the user attempts to create a resource with tags, the request fails if the user does not have permissions to use the elasticloadbalancing:AddTags action.