Tag virtual MFA devices
You can use IAM tag key-value pairs to add custom attributes to a virtual MFA device.
For example, to add cost center information for a user's virtual MFA device, you can add the
tag key CostCenter
and the tag value 1234
. You
can use tags to control access to resources or to control what tags can be attached to an
object. To learn more about using tags to control access, see Controlling access to and for IAM users and roles using
tags.
You can also use tags in Amazon STS to add custom attributes when you assume a role or federate a user. For more information, see Pass session tags in Amazon STS.
Permissions required for tagging virtual MFA devices
You must configure permissions to allow an IAM entity (user or role) to tag virtual MFA devices. You can specify one or all of the following IAM tag actions in an IAM policy:
-
iam:ListMFADeviceTags
-
iam:TagMFADevice
-
iam:UntagMFADevice
To allow an IAM entity (user or role) to add, list, or remove a tag for a virtual MFA device
Add the following statement to the permissions policy for the IAM entity that
needs to manage tags. Use your account number and replace
<MFATokenID>
with the name of the virtual MFA
device whose tags need to be managed. To learn how to create a policy using this
example JSON policy document, see Creating policies using the JSON
editor.
{ "Effect": "Allow", "Action": [ "iam:ListMFADeviceTags", "iam:TagMFADevice", "iam:UntagMFADevice" ], "Resource": "arn:aws-cn:iam::
<account-number>
:mfa/<MFATokenID>
" }
To allow an IAM entity (user or role) to add a tag to a specific virtual MFA device
Add the following statement to the permissions policy for the IAM entity that needs to add, but not remove, tags for a specific MFA device.
Note
The iam:TagMFADevice
action requires that you also include the
iam:ListMFADeviceTags
action.
To use this policy, replace <MFATokenID>
with the name of
the virtual MFA device whose tags need to be managed. To learn how to create a policy
using this example JSON policy document, see Creating policies using the JSON
editor.
{ "Effect": "Allow", "Action": [ "iam:ListMFADeviceTags", "iam:TagMFADevice" ], "Resource": "arn:aws-cn:iam::
<account-number>
:mfa/<MFATokenID>
" }
Alternatively, you can use an Amazon managed policy such as IAMFullAccess
Managing tags on virtual MFA devices (Amazon CLI or Amazon API)
You can list, attach, or remove tags for a virtual MFA device. You can use the Amazon CLI or the Amazon API to manage tags for a virtual MFA device.
To list the tags currently attached to a virtual MFA device (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam list-mfa-device-tags
-
Amazon API: ListMFADeviceTags
To attach tags to a virtual MFA device (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam tag-mfa-device
-
Amazon API: TagMFADevice
To remove tags from a virtual MFA device (Amazon CLI or Amazon API)
-
Amazon CLI: aws iam untag-mfa-device
-
Amazon API: UntagMFADevice
For information about attaching tags to resources for other Amazon services, see the documentation for those services.
For information about using tags to set more granular permissions with IAM permissions policies, see IAM policy elements: Variables and tags.