Inconsistent behavior across ARC pages for certain condition keys like aws:ResourceTag
Closed this issue · 1 comments
I just filed awsdocs/amazon-cloudwatch-user-guide#25 against CloudWatch, but upon further inspection it seems like the ARC pages aren't terribly consistent in how they treat that condition.
For example, the EC2 page lists ec2:ResourceTag/${TagKey} 145 times across the page on every action that supports it. On the other hand, the IAM page (and the CloudWatch page from the ticket above) seems to only list it in the resource table, as far as I understand it, implying that whenever that resource is used, the ec2:ResourceTag/${TagKey} condition key is available on it.
Both of the approaches seem fine but it was confusing to me to see both in use across these autogenerated ARC pages. Is there a meaningful difference between the two of them or is this accidental?
The information on these pages is provided to IAM by the service teams. We give them guidance, but they don't always follow that guidance. It's a symptom of the many, many number of services that AWS offers.
Here's the way it should behave:
#1 - Condition keys are complicated critters. For example, the ResourceTag key might or might not exist on the specified resource. Probably all of EC2 resources support the key, but that's not the case in all services that support tagging-based authorization. Ultimately, these pages in IAM reflect which actions in the service CAN support the key.
#2 - If a condition key is listed in the table of keys, but not for any specific actions, you SHOULD be able to infer that it CAN work for all actions. (Again, that doesn't mean that it works in all situations.)
#3 - Trial and error is the only method to know for sure today. The current docs are a step in the right direction, and as more customers use them and report inaccuracies, they will become more and more accurate.
These Action, Resource, and Condition Key pages are very important to us. We update these pages several times a week and sometimes several times a day. To see the latest version, view the HTML pages. We manually push the changes to GitHub on Fridays.