For a while now I'm trying to restrict write access to a specific environment under AppConfig but it doesn't seem to work. I get access denied on "dev" environment. I have checked with the reference for appconfig (https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html). I want to allow developers to be able to start a deployment only on dev environment but not on prod. Here is the policy I am using.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "appconfig:StartDeployment",
"Resource": [
"arn:aws:appconfig:*:ACCOUNT-ID:deploymentstrategy/*",
"arn:aws:appconfig:*:ACCOUNT-ID:application/*/environment/*",
"arn:aws:appconfig:*:ACCOUNT-ID:application/*/configurationprofile/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "dev"
}
}
}
]
}
I tried to restrain access the same way by using a tag on a AppConfig environment in the condition. It did not work. I then tried to restrain it at the resource level by adding the following resource
"arn:aws:appconfig:*:ACCOUNT-ID:application/*/environment/dev" and I had the same issue.
I have contacted one of the representative from AWS at my workplace and explained the issue I have. I explained to me that using ResourceTag in a condition is currently not supported with AppConfig on StartDeployment and StopDeployment. He opened a feature request for the AppConfig team but there is no guarantee that it will be included in their roadmap.
In the meantime I have found a way to restrain access for an environment. Keep in mind this solution is not the best and you may bust your quota limit of policies in IAM.
Thanks a lot for the help