I have an IAM role my-role that I want to allow the aws iam list-roles call. However, I don't want to return simply all roles, but only some that are relevant to my-role, for example, those which are tagged by some specific tag foo=bar (or filter on name is also acceptable for me).
When I configure my-role permission like this:
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "bar"
}
}
}
I get an error when I call aws iam list-roles:
An error occurred (AccessDenied) when calling the ListRoles operation: User: arn:aws:sts::849104738271:assumed-role/my-role/i-0b9242f9846123b29 is not authorized to perform: iam:ListRoles on resource: arn:aws:iam::849104738271:role/ because no identity-based policy allows the iam:ListRoles action
I've also tried to remove the Condition part and change the prefix of Resource and using the --path-prefix parameter to list-roles, but the roles that I want to return have path / and the prefix is only a part of RoleName.
How can I adjust the privileges, or change the request so that I get the roles with specified tag?
The Actions, resources, and condition keys for AWS Identity and Access Management (IAM) - Service Authorization Reference for ListRoles does NOT list any fields as valid Conditions.
Therefore, you can only grant permission to list ALL roles, or NOT to list roles. There is no ability to limit what roles are requested or returned.