Hacker News new | past | comments | ask | show | jobs | submit login

It’s worse than that with respect to (1): any process on _any_ instance which has tag setting permissions can set the tag for _any other_ instance, since conditions don’t support scoping to instance ID.

Re (2) technically you cannot have any roles attached directly, but instead attach an instance profile (the distinction is clearer via the API than the console). The shape of the API for an instance profile clearly was designed to support multiple roles, but in practice is limited to one. It’s typical to create a role with many policies attached for each functional type of instance, so in practice it does’t matter too much.




1) CreateTags does support scoping using StringEquals with ec2:SourceInstanceARN and comparing that with the aws:arn

  "aws:ARN": "${ec2:SourceInstanceARN}"
It will give you a warning when creating through web console, but the condition works.


TIL - thanks for the heads up. Is this a documented substitution?


I don't think so... I have been trying to find it for a few years now, but it just won't turn up anywhere.

FYI, I personally use resource tags as well on top this, just to limit the scope (in case it magically disappears one day).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: