I am trying to filter out instances in AWS by matching particular tag added in EC2 instance. For this I have created new IAM role with following limited permissions :-

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:StopInstances"
            ],
            "Resource": [
                "arn:aws:ec2:<aws-region>:<aws-id>:instance/*"
            ],
            "Condition":{
                "StringLike":{
                    "aws:ResourceTag/Name" : ["sample_type_*"]
                }
            }
        }
    ]
}

I read about collections in boto3 and implemented following filter function to find the instances :-

ec2 = boto3.resource('ec2')
instance_name_prefix = "sample_type_"
filter_list = [
            {"Name": "tag:Name", "Values": [f"{instance_name_prefix}*"]},
            {"Name": "instance-state-name", "Values": ["running"]}
        ]
running_instance_list = ec2.instances.filter(Filters=filter_list)

But this throws me following error :-

botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

I tried to look for dependent actions for DescribeInstances in AWS docs where it is shown to be not dependent on other actions.

Can someone point out where it is wrong ? Would appreciate any hint on this.

Thanks

CodePudding user response：

Most listing operations are either allowed or are not allowed, there is no middle ground and no Conditions that can be evaluated. Interacting with the resources that get listed is then obviously dependent on further IAM permissions, but not the listing itself.

That is the case here. ec2:DescribeInstances cannot be restricted with Conditions other than the ec2:Region.