DEVHIDE
Login Or Sign up

Unable to tag AppConfig configuration resource

132 Views Asked by At

According to Actions, resources, and condition keys for AWS AppConfig, the configuration resource type has ARN format arn:${Partition}:appconfig:${Region}:${Account}:application/${ApplicationId}/environment/${EnvironmentId}/configuration/${ConfigurationProfileId} and supports the global aws:ResourceTag/${TagKey} condition key.

However, the AppConfig API actions pertaining to resource tags (ListTagsForResource, TagResource, UntagResource) return BadRequestException when provided a configuration resource ARN:

$ aws aws appconfig list-tags-for-resource --resource-arn arn:aws:appconfig:us-west-2:XXXXXXXXXXXX:application/XXXXXXX/environment/XXXXXXX/configuration/XXXXXXX
An error occurred (BadRequestException) when calling the TagResource operation: arn:aws:appconfig:us-west-2:XXXXXXXXXXXX:application/XXXXXXX/environment/XXXXXXX/configuration/XXXXXXX contains an unsupported resource type.[application, XXXXXXX, environment, XXXXXXX, configuration]

(The same error also occurs when attempting the operation via the AWS SDK, so it's not limited to the AWS CLI.)

The configuration resource ARN above is valid, since its use in the following IAM policy

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": [
      "appconfig:GetLatestConfiguration",
      "appconfig:StartConfigurationSession"
    ],
    "Resource": "arn:aws:appconfig:us-west-2:XXXXXXXXXXXX:application/XXXXXXX/environment/XXXXXXX/configuration/XXXXXXX"
  }
}

makes StartConfigurationSession return the expected AccessDeniedException ending in "explicit deny in an identity-based policy".

Furthermore, Actions, resources, and condition keys for AWS AppConfig shows that TagResource and UntagResource do accept configuration resource types.

If it's not possible to tag an AppConfig configuration resource, then it's not possible to control access to the GetLatestConfiguration and StartConfigurationSession operations using tags:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "appconfig:GetLatestConfiguration",
      "appconfig:StartConfigurationSession"
    ],
    "Resource": "arn:aws:appconfig:us-west-2:XXXXXXXXXXXX:application/XXXXXXX/*",
    "Condition": {
      "StringEquals": {
        "aws:ResourceTag/Tag": "Value"
      }
    }
  }
}

The observed behavior does not match the AWS documentation, and seems like an oversight in the AWS AppConfig API.

amazon-web-services aws-app-config
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AWS-APP-CONFIG

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.