Tags for Roles and IAM Users
How to Name Tags?
Take note of the below while naming IAM roles, IAM users, STS federated user sessions and STS assume-role sessions:
- Tag keys and values of tags are capable of having spaces, letters, numbers and the following symbols: _ . : / = + – @ .
- Tag key–value pairs: not case sensitive but preserved so as to not be able to include different Apartment and apartment tag keys.
- Tag values or tag keys cannot start with the text aws:. (it’s only for internal use).
- A tag can have empty values like pageNumber= “ ” . Tag keys are not capable of being empty.
- 1 tag cannot have various different values. It is possible to get a custom multi-value structure in that 1 value.
How to Apply and Edit Tags?
Take note of the below while attaching tags to roles or users:
- Roles and users can be tagged, while policies or groups cannot.
- Tag Editor cannot be used for tagging IAM entities, because it does not support IAM tags.
- Specific permissions are needed for tagging IAM entity, and permissions to list tas are needed for tagging or untagging users and roles.
- There are limits to the size and number of tags being attached to a user or role.
- Various IAM entities can get the exact same tag.
- More than 1 instance of the same tag key may not be given to an IAM entity.
- For the sake of editing a tag attached to an IAM role or user, you will need to get a new value tag attached for the sake of overwriting the already existing one.
What are the Permissions needed to Tag IAM Entities?
1 or every single one of the below IAM tag actions can be defined in an IAM policy:
- iam:TagUser
- iam:ListRoleTags
- iam:UntagRole
- iam:TagRole
- iam:UntagUser
- iam:ListUserTags
Allowing IAM entity: adding, listing, or removing a tag of a particular user
Get the below statement added to the permissions policy for IAM entity which requires managing tags. Rely on your very own account number and enter the user’s name instead of <username>.
{
"Effect": "Allow",
"Action": [
"iam:ListUserTags",
"iam:TagUser",
"iam:UntagUser"
],
"Resource": "arn:aws:iam:*:<account-number>:user/<username>"
}
Allowing IAM user the option of self-managing tags
Add Get the below statement added to the permissions policy of users for giving them the ability of managing their very own tags.
{
"Effect": "Allow",
"Action": [
"iam:ListUserTags",
"iam:TagUser",
"iam:UntagUser"
],
"Resource": "arn:aws:iam:*:user/${aws:username}"
}
Add Get the below statement added to the permissions policy of IAM entity which requires adding, but not removing, tags of a prticular user.Allowing IAM entity the addition of a tag to a particular user
Keep in Mind
iam:AddRoleTags + iam:AddUserTags actions: need the ddition of the iam:ListRoleTags and iam:ListUserTags actions.
For the sake of utilizing the policy, enter the user’s name instead of <username>.
{
"Effect": "Allow",
"Action": [
"iam:ListUserTags",
"iam:TagUser"
],
"Resource": "arn:aws:iam:*:<account-number>:user/<username>"
}
Allowing IAM entity to list, add or remove tags for a paticular role
Define the below statement to permissions policy for IAM entity for managing tags. Write the role’s name in the place of <rolename>.
{
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": "arn:aws:iam:*:<account-number>:role/<rolename>"
}
Otherwise, you’re capable of utilizing a managed policy (example: IAMFullAccess) for giving total access to IAM.
How to Manage Tags on IAM Entities Using the Console?
You can manage tags for IAM users or roles from the AWS Management Console.
Managing tags on users or roles using the console
- Login to the Management Console and go straight to the IAM console using this link https://console.aws.amazon.com/iam/.
- From navigation pane in console, select either Rolesor Users then click on the entity name which you’d like to edit.
- Click on Tagstab and perform 1 of the below actions:
- Select Add tags if there are no tags in the entity.
- Select Edit tagsfor managing already existing set of tags.
- You can either remove or add more tags for finishing the set of tags. Later, go ahead and click on Save changes.
How to manage Tags on IAM Entities using CLI or API?
It’s possible to do the following with the tags for roles and IAM users:
– List
– Attach
– Remove
CLI and API can be utilized for managing tags of roles and IAM users.
Removing tags from IAM users through CLI or API:
- CLI:aws iam untag-user
- API: UntagUser
Listing tags currently attached to IAM role
- CLI: aws iam list-role-tags
- API: ListRoleTags
Attaching tags to IAM user
- CLI:aws iam tag-user
- API: TagUser
Listings tags currently attached to IAM user
- CLI: aws iam list-user-tags
- API: ListUserTags
Removing tags from IAM role
- CLI: aws iam untag-role
- API: UntagRole
Attaching tags to IAM role
- CLI: aws iam tag-role
- API: TagRole