I am trying to define an IAM Role Polices to be used to deploy and manage RDS Instances via Cloudformation. So I am writing a IAM Role, that will be passed to Cloudformation for the deployment.
The Role should allow to deploy and manage RDS instances with specific tags, and not create any instance that does not have the tags.
So what I am trying int the role is this (IAM Policy):
{
"Condition": {
"StringEquals": {
"rds:req-tag/Project": "myproject"
}
},
"Action": [
"rds:Create*",
"rds:Restore*"
],
"Resource": "*",
"Effect": "Allow"
},
Yet, when I try to create RDS Instance with the Tag Project=myproject using Cloudformation, I get:
API: rds:CreateDBInstance User: <me> is not authorized to perform: rds:CreateDBInstance on resource: arn:aws:rds:eu-central-1:078433912766:db:ss9wm5ynvx3n8i because no identity-based policy allows the rds:CreateDBInstance action
Lookling through CloudTrail it seems to me, that Cloudformation does not send the tags when creating the Instance, which is probably the reason why this fails.
So I wonder: is what I am tyring even possible? Or do I have to accept the fact, that I cannot restrict Cloudformation so that it can only create RDS Instances with specific tags?
CodePudding user response:
I tested the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"rds:req-tag/Project": "myproject"
}
},
"Action": [
"rds:Create*",
"rds:Restore*",
"rds:AddTagsToResource"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
with the following CLI command
aws rds create-db-instance \
--db-instance-identifier test-mysql-instance \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username admin \
--master-user-password secret99 \
--allocated-storage 20 \
--region us-east-1 \
--tags Key=Project,Value=myproject
and I can confirm that it's working as intended.