I need a role assigned to developers to only be able to read lambda functions that have specific tags.
To do this, I have assigned the following tags on all resources:
| Tag | Value |
|---|---|
| team | developers, devops, etc... |
| environment | dev, stg, prod |
The team tag can have multiple teams, separated by a space, as multiple teams can take ownership of the same resource.
- Example 1:
team: developers - Example 2:
team: developers devops finance
Following the AWS documentation which shows that it is possible to grant access by tags (although with partial support as there are actions that do not allow it), I created the following policy for the IAM role assigned to developers, including the conditions of the tags:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowReadingFunctionsByTags",
"Effect": "Allow",
"Action": [
"lambda:ListTags",
"lambda:GetFunction"
],
"Resource": "*",
"Condition": {
"StringLike": { "aws:ResourceTag/team": "*developers*" },
"StringEquals": { "aws:ResourceTag/environment": [ "dev" , "stg" ] }
}
},
{
"Sid": "ListAllFunctions",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:GetAccountSettings"
],
"Resource": "*"
}
]
}
Finally, to test it, I have assumed the role where the policy is assigned on the AWS Console.
I was expecting that I could see the function without errors, however, the following error is displayed:
User: arn:aws:sts::[REDACTED]:assumed-role/lambda_role/[REDACTED] is not authorized to perform: lambda:GetFunction on resource: arn:aws:lambda:eu-central-1:[REDACTED]:function:[LAMBDA NAME] because no identity-based policy allows the lambda:GetFunction action
I also tried the following:
- Limiting to an specific resource without conditions: Works.
- Limiting to an specific resource with conditions: Not working.
- Using only the team tag: Not working.
- Using only the environment tag: Not working.
- Using StringEquals on the team tag, with a resource with only one team: Not working.
- Adding all Lambda read and list actions that support Conditions on "AllowReadingFunctionsByTags": Not working.
- Using
arn:aws:lambda:*:*:function:*as a resource selector: Not working.
Also, the IAM Policy Simulator shows the following, depending on the inputs.
What is wrong with the policy and how can I further debug it?
After we talked with AWS support, they found that there is a feature regarding filtering with tags that is disabled on old accounts, to prevent breaking things. This feature block is not set on new accounts.
To fix this issue, you'll need to contact AWS Support.