Grant permission to tag resources during creation
Some resource-creating Amazon DRS API actions allow you to specify tags when you create the resource. You can use resource tags to implement attribute-based control (ABAC).
To allow users to tag resources on creation, they must have permissions to use the
action that creates the resource, such as drs:CreateSourceServerForDrs
for source server or drs:CreateRecoveryInstanceForDrs
for Recovery
instances. If tags are specified in the resource-creating action, Amazon performs
additional authorization on the drs:TagResource
action to verify that
users have permissions to create tags. Therefore, users must also have explicit
permissions to use the drs:TagResource
action.
In the IAM policy definition for the drs:TagResource
action, use the Condition
element with the drs:CreateAction
condition key to give tagging permissions to the
action that creates the resource.
The following example demonstrates a policy that allows an agent installer to
create a source server or recover instance and apply any tags to the resource on
creation. The installer is not permitted to tag any existing resources (it cannot
call the drs:TagResource
action directly).
The drs:TagResource
action is only evaluated if tags are applied during the
resource-creating action. Therefore, an installer that has permissions to create a resource (assuming
there are no tagging conditions) does not require permissions to use the drs:TagResource
action
if no tags are specified in the request. However, if the installer attempts to create a resource with
tags, the request fails if the installer does not have permissions to use the drs:TagResource
action.