Using Amazon tags with S3 Access Grants - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon tags with S3 Access Grants

Tags in Amazon S3 Access Grants have similar characteristics to object tags in Amazon S3. Each tag is a key-value pair. The resources in S3 Access Grants that you can tag are S3 Access Grants instances, locations, and grants.


Tagging in S3 Access Grants uses different API operations than object tagging. S3 Access Grants uses the TagResource, UntagResource, and ListTagsForResource API operations, where a resource can be either an S3 Access Grants instance, a registered location, or an access grant.

Similar to object tags, the following limitations apply:

  • You can add tags to new S3 Access Grants resources when you create them, or you can add tags to existing resources.

  • You can associate up to 10 tags with a resource. If multiple tags are associated with the same resource, they must have unique tag keys.

  • A tag key can be up to 128 Unicode characters in length, and tag values can be up to 256 Unicode characters in length. Tags are internally represented in UTF-16. In UTF-16, characters consume either 1 or 2 character positions.

  • The keys and values are case sensitive.

For more information about tag restrictions, see User-defined tag restrictions in the Amazon Billing User Guide.

You can tag resources in S3 Access Grants by using the Amazon Command Line Interface (Amazon CLI), the Amazon S3 REST API, or the Amazon SDKs.

To install the Amazon CLI, see Installing the Amazon CLI in the Amazon Command Line Interface User Guide.

You can tag an S3 Access Grants resource when you create it or after you have created it. The following examples show how you tag or untag an S3 Access Grants instance. You can perform similar operations for registered locations and access grants.

To use the following example commands, replace the user input placeholders with your own information.

Example – Create an S3 Access Grants instance with tags
aws s3control create-access-grants-instance \ --account-id 111122223333 \ --profile access-grants-profile \ --region us-east-2 \ --tags Key=tagKey1,Value=tagValue1


{ "CreatedAt": "2023-10-25T01:09:46.719000+00:00", "AccessGrantsInstanceId": "default", "AccessGrantsInstanceArn": "arn:aws-cn:s3:us-east-2:111122223333:access-grants/default" }
Example – Tag an already created S3 Access Grants instance
aws s3control tag-resource \ --account-id 111122223333 \ --resource-arn "arn:aws-cn:s3:us-east-2:111122223333:access-grants/default" \ --profile access-grants-profile \ --region us-east-2 \ --tags Key=tagKey2,Value=tagValue2
Example – List tags for the S3 Access Grants instance
aws s3control list-tags-for-resource \ --account-id 111122223333 \ --resource-arn "arn:aws-cn:s3:us-east-2:111122223333:access-grants/default" \ --profile access-grants-profile \ --region us-east-2


{ "Tags": [ { "Key": "tagKey1", "Value": "tagValue1" }, { "Key": "tagKey2", "Value": "tagValue2" } ] }
Example – Untag the S3 Access Grants instance
aws s3control untag-resource \ --account-id 111122223333 \ --resource-arn "arn:aws-cn:s3:us-east-2:111122223333:access-grants/default" \ --profile access-grants-profile \ --region us-east-2 \ --tag-keys "tagKey2"

You can use the Amazon S3 API to tag, untag, or list tags for an S3 Access Grants instance, registered location, or access grant. For information about the REST API support for managing S3 Access Grants tags, see the following sections in the Amazon Simple Storage Service API Reference: