Is it possible to create a policy that gives a role access to update tags on ec2 instances that are part of a specific ASG? My Google skills are failing me 
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:DescribeAutoScalingGroups",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"autoscaling:groupName": "<ASG_NAME>"
}
}
}
]
}```not tested. I don’t have any ASGs to bump this against currently
My most recent idea was to use the tag on the instances
Will look into this and see if it works, thanks for the suggestion!
I’m going to try out this approach looking for the aws:autoscaling:groupName tag, will report back if it works
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html|https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/control-access-with-tags.html
That way I don’t need to give any access to the autoscaling group itself
if that didn’t work, https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-tagging.html#tag-lifecycle there is an automatically created tag aws:autoscaling:groupName
Yep that’s what I ended up using!
https://og-aws.slack.com/archives/C2M3XL0QP/p1718030891154229?thread_ts=1718022586.449049&cid=C2M3XL0QP|https://og-aws.slack.com/archives/C2M3XL0QP/p1718030891154229?thread_ts=1718022586.449049&cid=C2M3XL0QP
Forgot to report back… Not positive I’ve fully tested it 
