Using tags with IAM policies - AWS RoboMaker

End of support notice: On September 10, 2025, AWS will discontinue support for AWS RoboMaker. After September 10, 2025, you will no longer be able to access the AWS RoboMaker console or AWS RoboMaker resources. For more information on transitioning to AWS Batch to help run containerized simulations, visit this blog post.

Using tags with IAM policies

You can apply tag-based resource-level permissions in the IAM policies you use for AWS RoboMaker API actions. This gives you better control over what resources a user can create, modify, or use. You use the Condition element (also called the Condition block) with the following condition context keys and values in an IAM policy to control user access (permissions) based on a resource's tags:

  • Use aws:ResourceTag/tag-key: tag-value to allow or deny user actions on resources with specific tags.

  • Use aws:RequestTag/tag-key: tag-value to require that a specific tag be used (or not used) when making an API request to create or modify a resource that allows tags.

  • Use aws:TagKeys: [tag-key, ...] to require that a specific set of tag keys be used (or not used) when making an API request to create or modify a resource that allows tags.

Note

The condition context keys and values in an IAM policy apply only to those AWS RoboMaker actions where an identifier for a resource capable of being tagged is a required parameter. For example, the use of ListFleets will not be allowed or denied on the basis of condition context keys and values because no taggable resource (fleet, robot, robot application, simulation application, simulation job, deployment job) is referenced in this request.

For more information, see Controlling access to AWS resources using tags in the AWS Identity and Access Management User Guide. The IAM JSON policy reference section of that guide has detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of JSON policies in IAM.

The following example policy applies two tag-based restrictions. An IAM user restricted by this policy:

  • Cannot create a robot with tag "env=prod" (in the example, see the line "aws:RequestTag/env" : "prod").

  • Cannot delete a robot that has an existing tag "env=prod" (in the example, see the line "aws:ResourceTag/env" : "prod").

{
    "Version" : "2012-10-17",
    "Statement" : [
        {
          "Effect" : "Deny",
          "Action" : "robomaker:CreateRobot",
          "Resource" : "*",
          "Condition" : {
            "StringEquals" : {
              "aws:RequestTag/env" : "prod"
            }
          }
        },
        {
          "Effect" : "Deny",
          "Action" : "robomaker:DeleteRobot",
          "Resource" : "*",
          "Condition" : {
            "StringEquals" : {
              "aws:ResourceTag/env" : "prod"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "robomaker:*",
          "Resource": "*"
        }
    ]
}

You can also specify multiple tag values for a given tag key by enclosing them in a list, like this: 


            "StringEquals" : {
              "aws:ResourceTag/env" : ["dev", "test"]
}
Note

If you allow or deny users access to resources based on tags, you must consider explicitly denying users the ability to add those tags to or remove them from the same resources. Otherwise, it's possible for a user to circumvent your restrictions and gain access to a resource by modifying its tags.