Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tagging IAM roles

You can use IAM tag key-value pairs to add custom attributes to an IAM role. For example, to add location information to a role, you can add the tag key location and the tag value us_wa_seattle. Or you could use three separate location tag key-value pairs: loc-country = us, loc-state = wa, and loc-city = seattle. You can use tags to control a role's access to resources or to control what tags can be attached to a role. To learn more about using tags to control access, see Controlling access to and for IAM users and roles using tags.

You can also use tags in Amazon STS to add custom attributes when you assume a role or federate a user. For more information, see Passing session tags in Amazon STS.

Permissions required for tagging IAM roles

You must configure permissions to allow an IAM role to tag other entities (users or roles). You can specify one or all of the following IAM tag actions in an IAM policy:

To allow an IAM role to add, list, or remove a tag for a specific user

Add the following statement to the permissions policy for the IAM role that needs to manage tags. Use your account number and replace <username> with the name of the user whose tags need to be managed. To learn how to create a policy using this example JSON policy document, see Creating policies using the JSON editor.

{
    "Effect": "Allow",
    "Action": [
        "iam:ListUserTags",
        "iam:TagUser",
        "iam:UntagUser"
    ],
    "Resource": "arn:aws-cn:iam::<account-number>:user/<username>"
}

To allow an IAM role to add a tag to a specific user

Add the following statement to the permissions policy for the IAM role that needs to add, but not remove, tags for a specific user.

To use this policy, replace <username> with the name of the user whose tags need to be managed. To learn how to create a policy using this example JSON policy document, see Creating policies using the JSON editor.

{
    "Effect": "Allow",
    "Action": [
        "iam:ListUserTags",
        "iam:TagUser"
    ],
    "Resource": "arn:aws-cn:iam::<account-number>:user/<username>"
}

To allow an IAM role to add, list, or remove a tag for a specific role

Add the following statement to the permissions policy for the IAM role that needs to manage tags. Replace <rolename> with the name of the role whose tags need to be managed. To learn how to create a policy using this example JSON policy document, see Creating policies using the JSON editor.

{
    "Effect": "Allow",
    "Action": [
        "iam:ListRoleTags",
        "iam:TagRole",
        "iam:UntagRole"
    ],
    "Resource": "arn:aws-cn:iam::<account-number>:role/<rolename>"
}

Alternatively, you can use an Amazon managed policy such as IAMFullAccess to provide full access to IAM.

Managing tags on IAM roles (console)

You can manage tags for IAM roles from the Amazon Web Services Management Console.

Managing tags on IAM roles (Amazon CLI or Amazon API)

You can list, attach, or remove tags for IAM roles. You can use the Amazon CLI or the Amazon API to manage tags for IAM roles.

For information about attaching tags to resources for other Amazon services, see the documentation for those services.

For information about using tags to set more granular permissions with IAM permissions policies, see IAM policy elements: Variables and tags.