simulate_principal_policy: ecs:ResourceTag/* condition keys not evaluated (implicitDeny for allowed actions)

[jhjaggars]

Summary

iam.SimulatePrincipalPolicy returns implicitDeny for actions that should be allowed when the policy condition uses ecs:ResourceTag/* context keys supplied via ContextEntries. The same policies enforce correctly when using LocalStack's IAM enforcement mode (ENFORCE_IAM=1) at runtime.

Environment

• LocalStack Pro, latest tag
• Triggered via CI using compose.ci.yml (Docker executor)
• ENFORCE_IAM=1 is not set for simulation tests (using the simulate_principal_policy API directly)

Reproduction

Case 1: ABAC policy with ${aws:PrincipalTag/username}

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "ExecuteCommandOnOwnedTasks",
    "Effect": "Allow",
    "Action": ["ecs:ExecuteCommand"],
    "Resource": "*",
    "Condition": {
      "StringEquals": {
        "ecs:ResourceTag/username": "${aws:PrincipalTag/username}"
      }
    }
  }]
}

result = iam_client.simulate_principal_policy(
    PolicySourceArn=role_arn,
    ActionNames=["ecs:ExecuteCommand"],
    ResourceArns=["arn:aws:ecs:us-east-2:123456789012:task/test-cluster/alice-task-001"],
    ContextEntries=[
        {"ContextKeyName": "aws:PrincipalTag/username", "ContextKeyValues": ["alice"], "ContextKeyType": "string"},
        {"ContextKeyName": "ecs:ResourceTag/username",  "ContextKeyValues": ["alice"], "ContextKeyType": "string"},
    ]
)
print(result["EvaluationResults"][0]["EvalDecision"])
# Actual:   implicitDeny
# Expected: allowed  (PrincipalTag/username == ResourceTag/username == "alice")

Case 2: Reaper policy with ForAnyValue:StringLike on deadline tag

{
  "Sid": "StopExpiredTasks",
  "Effect": "Allow",
  "Action": "ecs:StopTask",
  "Resource": "arn:aws:ecs:us-east-1:123456789012:task/test-cluster/*",
  "Condition": {
    "ForAnyValue:StringLike": { "ecs:ResourceTag/deadline": "*" }
  }
}

result = iam_client.simulate_principal_policy(
    PolicySourceArn=role_arn,
    ActionNames=["ecs:StopTask"],
    ResourceArns=["arn:aws:ecs:us-east-1:123456789012:task/test-cluster/task-abc"],
    ContextEntries=[
        {"ContextKeyName": "ecs:ResourceTag/deadline", "ContextKeyValues": ["2026-03-30T12:00:00"], "ContextKeyType": "string"}
    ]
)
print(result["EvaluationResults"][0]["EvalDecision"])
# Actual:   implicitDeny
# Expected: allowed  (deadline tag is present)

Expected Behavior

When ContextEntries supplies ecs:ResourceTag/<key> values, simulate_principal_policy should evaluate ecs:ResourceTag/* conditions against those values, the same way it handles aws:PrincipalTag/* and other global condition keys. Real AWS IAM Policy Simulator handles this correctly.

Impact

This prevents testing ABAC policies that use ecs:ResourceTag/* conditions — a common pattern for ECS task isolation and timeout enforcement — via simulate_principal_policy. We are forced to skip these simulation-based tests and fall back to structural (policy document) tests only.

See: openshift-online/rosa-boundary#27

Related

• localstack/.github#22 (filed here in error before finding the correct channel)