Tagging Amazon IAM Identity Center resources
A tag is a custom attribute label that you add to an Amazon resource to make it easier to identify, organize, and search for resources. Each tag has two parts:
-
A tag key (for example,
CostCenter
,Environment
, orProject
). Tag keys can be up to 128 characters in length and are case sensitive. -
A tag value (for example,
111122223333
orProduction
). Tag values can be up to 256 characters in length, and like tag keys, are case sensitive. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. Omitting the tag value is the same as using an empty string.
Tags help you identify and organize your Amazon resources. Many Amazon services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to a specific permission set in your instance of IAM Identity Center. For more information about tagging strategies, see Tagging Amazon Resources in the Amazon Web Services General Reference Guide and Tagging Best Practices.
In addition to identifying, organizing, and tracking your Amazon resources with tags, you can use
tags in IAM policies to help control who can view and interact with your resources. To
learn more about using tags to control access, see Controlling access to Amazon resources using
tags in the IAM User Guide. For example,
you can allow a user to update an IAM Identity Center permission set, but only if the IAM Identity Center permission set
has an owner
tag with a value of that user's name.
Currently, you can apply tags to permission sets only. You can't apply tags to the corresponding roles that IAM Identity Center creates in Amazon Web Services accounts. You can use the IAM Identity Center console, Amazon CLI or the IAM Identity Center APIs to add, edit, or delete tags for a permission set.
The following sections provide more information about tags for IAM Identity Center.
Tag restrictions
The following basic restrictions apply to tags on IAM Identity Center resources:
-
The maximum number of tags that you can assign to a resource is 50.
-
The maximum key length is 128 Unicode characters.
-
The maximum value length is 256 Unicode characters.
-
Valid characters for a tag key and value are:
a-z, A-Z, 0-9, space, and the following characters: _ . : / = + - and @
-
Keys and values are case sensitive.
-
Don't use
aws:
as a prefix for keys; it's reserved for Amazon use
Manage tags by using the IAM Identity Center console
You can use the IAM Identity Center console to add, edit, and remove tags that are associated with your instance or permission sets.
To manage permission sets tags for an IAM Identity Center console
-
Open the IAM Identity Center console
. -
Choose Permission sets.
-
Choose the name of the permission set that has the tags you want to manage.
-
On the Permissions tab, under Tags, do one of the following, and then proceed to the next step:
-
If tags are already assigned for this permission set, choose Edit tags.
-
If no tags are assigned to this permission set, choose Add tags.
-
-
For each new tag, type the values in the Key and Value (optional) columns. When you are finished, choose Save changes.
To remove a tag, choose the X in the Remove column next to the tag that you want to remove.
To manage tags for an instance of IAM Identity Center
-
Open the IAM Identity Center console
. -
Choose Settings.
-
Choose the Tags tab.
-
For each tag, type the values in the Key and Value (optional) fields. When you are finished, choose the Add new tag button.
To remove a tag, choose the Remove button next to the tag that you want to remove.
Amazon CLI examples
The Amazon CLI provides commands that you can use to manage the tags that you assign to your permission set.
Assigning tags
Use the following commands to assign tags to your permission set.
Example tag-resource
Command for a permission set
Assign tags to a permission set by using tag-resource
within the sso
set of commands:
$
aws sso-admin tag-resource \>
--instance-arnsso-instance-arn
\>
--resource-arnsso-resource-arn
\>
--tagsStage=Test
This command includes the following parameters:
-
instance-arn
– The Amazon Resource Name (ARN) of the IAM Identity Center instance under which the operation will run. -
resource-arn
– The ARN of the resource with the tags to be listed. -
tags
– The key-value pairs of the tags.
To assign multiple tags at once, specify them in a comma-separated list:
$
aws sso-admin tag-resource \>
--instance-arnsso-instance-arn
\>
--resource-arnsso-resource-arn
\>
--tagsStage=Test,CostCenter=80432,Owner=SysEng
Viewing tags
Use the following commands to view the tags that you have assigned to your permission set.
Example list-tags-for-resource
Command for a permission set
View the tags that are assigned to a permission set by using list-tags-for-resource
within the sso
set of commands:
$
aws sso-admin list-tags-for-resource --resource-arnsso-resource-arn
Removing tags
Use the following commands to remove tags from a permission set.
Example untag-resource
Command for a permission set
Remove tags from a permission set by using untag-resource
within the sso
set of
commands:
$
aws sso-admin untag-resource \>
--instance-arnsso-instance-arn
\>
--resource-arnsso-resource-arn
\>
--tag-keysStage CostCenter Owner
For the --tag-keys
parameter, specify one or more tag keys, and
do not include the tag values.
Applying tags when you create a permission set
Use the following commands to assign tags at the moment you create a permission set.
Example create-permission-set
Command with tags
When you create a permission set by using the create-permission-set
command, you can specify
tags with the --tags
parameter:
$
aws sso-admin create-permission-set \>
--instance-arnsso-instance-arn
\>
--namepermission=set-name
\>
--tagsStage=Test,CostCenter=80432,Owner=SysEng
Manage tags using the IAM Identity Center API
You can use the following actions in the IAM Identity Center API to manage the tags for your permission set.
API actions for IAM Identity Center instance tags
Use the following API actions to assign, view, and remove tags for a permission set or instance of IAM Identity Center.