In an attempt to give an instance access to a specific folder in an s3 bucket, I've got this in a policy:
"Resource": "arn:aws:s3:::My_Bucket/db_backups/${aws:ResourceTag/Name}/*"
It doesn't work. Documentation for using tags like this is here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_iam-tags.html
So perhaps what I'm trying to do is not possible.
But I'd rather not create a new role for each instance that needs access to a folder. Is there some other way I can pull this off?
You can use IAM policy elements: Variables and tags - AWS Identity and Access Management to write a single policy that applies to multiple IAM Users / IAM Roles.
As shown in that documentation, using a aws:userid variable will insert role-id:ec2-instance-id. Thus, the instances could be granted access to paths that match their role and instance, such as:
s3://bucketname/AROAU2DKSKXYQTOSDGTGX:i-abcd1234/*