Tag server certificates
If you use IAM to manage SSL/TLS certificates, you can tag server certificates in IAM using the Amazon CLI or Amazon API. For certificates in a Region supported by Amazon Certificate Manager (ACM), we recommend that you use ACM instead of IAM to provision, manage, and deploy your server certificates. In unsupported Regions, you must use IAM as a certificate manager. To learn which Regions ACM supports, see Amazon Certificate Manager endpoints and quotas in the Amazon Web Services General Reference.
You can use IAM tag key-value pairs to add custom attributes to a server certificate.
For example, to add information about the owner or administrator of a server certificate,
add the tag key owner
and the tag value
net-eng
. Or you can specify a cost center by adding the tag key
CostCenter
and the tag value 1234
. You can
use tags to control access to resources or to control what tags can be attached to
resources. To learn more about using tags to control access, see Controlling access to and for IAM users and roles using
tags.
You can also use tags in Amazon STS to add custom attributes when you assume a role or federate a user. For more information, see Pass session tags in Amazon STS.
Permissions required for tagging server certificates
You must configure permissions to allow an IAM entity (user or role) to tag server certificates. You can specify one or all of the following IAM tag actions in an IAM policy:
-
iam:ListServerCertificateTags
-
iam:TagServerCertificate
-
iam:UntagServerCertificate
To allow an IAM entity (user or role) to add, list, or remove a tag for a server certificate
Add the following statement to the permissions policy for the IAM entity that
needs to manage tags. Use your account number and replace
<CertificateName>
with the name of the server
certificate whose tags need to be managed. To learn how to create a policy using
this example JSON policy document, see Creating policies using the JSON
editor.
{ "Effect": "Allow", "Action": [ "iam:ListServerCertificateTags", "iam:TagServerCertificate", "iam:UntagServerCertificate" ], "Resource": "arn:aws-cn:iam::
<account-number>
:server-certificate/<CertificateName>
" }
To allow an IAM entity (user or role) to add a tag to a specific server certificate
Add the following statement to the permissions policy for the IAM entity that needs to add, but not remove, tags for a specific server certificate.
Note
The iam:TagServerCertificate
action requires that you also include
the iam:ListServerCertificateTags
action.
To use this policy, replace <CertificateName>
with the
name of the server certificate whose tags need to be managed. To learn how to create a
policy using this example JSON policy document, see Creating policies using the JSON
editor.
{ "Effect": "Allow", "Action": [ "iam:ListServerCertificateTags", "iam:TagServerCertificate" ], "Resource": "arn:aws-cn:iam::
<account-number>
:server-certificate/<CertificateName>
" }
Alternatively, you can use an Amazon managed policy such as IAMFullAccess
Managing tags on server certificates (Amazon CLI or Amazon API)
You can list, attach, or remove tags for server certificates. You can use the Amazon CLI or the Amazon API to manage tags for server certificates.
To list the tags currently attached to a server certificate (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam list-server-certificate-tags
-
Amazon API: ListServerCertificateTags
To attach tags to a server certificate(Amazon CLI or Amazon API)
-
Amazon CLI: aws iam tag-server-certificate
-
Amazon API: TagServerCertificate
To remove tags from a server certificate (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam untag-server-certificate
-
Amazon API: UntagServerCertificate
For information about attaching tags to resources for other Amazon services, see the documentation for those services.
For information about using tags to set more granular permissions with IAM permissions policies, see IAM policy elements: Variables and tags.