Tagging Amazon IAM Identity Center resources - Amazon IAM Identity Center
Tag restrictionsManaging tags with the consoleAmazon CLI examplesAPI actions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Tagging Amazon IAM Identity Center resources

A tag is a custom attribute label that you add to an Amazon resource to make it easier to identify, organize, and search for resources. Each tag has two parts:

  • A tag key (for example, CostCenter, Environment, or Project). Tag keys can be up to 128 characters in length and are case sensitive.

  • A tag value (for example, 111122223333 or Production). Tag values can be up to 256 characters in length, and like tag keys, are case sensitive. You can set the value of a tag to an empty string, but you can't set the value of a tag to null. Omitting the tag value is the same as using an empty string.

Tags help you identify and organize your Amazon resources. Many Amazon services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to a specific permission set in your instance of IAM Identity Center. For more information about tagging strategies, see Tagging Amazon Resources in the Amazon Web Services General Reference Guide and Tagging Best Practices.

In addition to identifying, organizing, and tracking your Amazon resources with tags, you can use tags in IAM policies to help control who can view and interact with your resources. To learn more about using tags to control access, see Controlling access to Amazon resources using tags in the IAM User Guide. For example, you can allow a user to update an IAM Identity Center permission set, but only if the IAM Identity Center permission set has an owner tag with a value of that user's name.

Currently, you can apply tags to permission sets only. You can't apply tags to the corresponding roles that IAM Identity Center creates in Amazon Web Services accounts. You can use the IAM Identity Center console, Amazon CLI or the IAM Identity Center APIs to add, edit, or delete tags for a permission set.

The following sections provide more information about tags for IAM Identity Center.

Tag restrictions

The following basic restrictions apply to tags on IAM Identity Center resources:

  • The maximum number of tags that you can assign to a resource is 50.

  • The maximum key length is 128 Unicode characters.

  • The maximum value length is 256 Unicode characters.

  • Valid characters for a tag key and value are:

    a-z, A-Z, 0-9, space, and the following characters: _ . : / = + - and @

  • Keys and values are case sensitive.

  • Don't use aws: as a prefix for keys; it's reserved for Amazon use

Manage tags by using the IAM Identity Center console

You can use the IAM Identity Center console to add, edit, and remove tags that are associated with your instance or permission sets.

To manage permission sets tags for an IAM Identity Center console

  1. Open the IAM Identity Center console.

  2. Choose Permission sets.

  3. Choose the name of the permission set that has the tags you want to manage.

  4. On the Permissions tab, under Tags, do one of the following, and then proceed to the next step:

    1. If tags are already assigned for this permission set, choose Edit tags.

    2. If no tags are assigned to this permission set, choose Add tags.

  5. For each new tag, type the values in the Key and Value (optional) columns. When you are finished, choose Save changes.

To remove a tag, choose the X in the Remove column next to the tag that you want to remove.

To manage tags for an instance of IAM Identity Center

  1. Open the IAM Identity Center console.

  2. Choose Settings.

  3. Choose the Tags tab.

  4. For each tag, type the values in the Key and Value (optional) fields. When you are finished, choose the Add new tag button.

To remove a tag, choose the Remove button next to the tag that you want to remove.

Amazon CLI examples

The Amazon CLI provides commands that you can use to manage the tags that you assign to your permission set.

Assigning tags

Use the following commands to assign tags to your permission set.

Example tag-resource Command for a permission set

Assign tags to a permission set by using tag-resource within the sso set of commands:

$ aws sso-admin tag-resource \
> --instance-arn sso-instance-arn \
> --resource-arn sso-resource-arn \
> --tags Stage=Test

This command includes the following parameters:

  • instance-arn – The Amazon Resource Name (ARN) of the IAM Identity Center instance under which the operation will run.

  • resource-arn – The ARN of the resource with the tags to be listed.

  • tags – The key-value pairs of the tags.

To assign multiple tags at once, specify them in a comma-separated list:

$ aws sso-admin tag-resource \
> --instance-arn sso-instance-arn \
> --resource-arn sso-resource-arn \
> --tags Stage=Test,CostCenter=80432,Owner=SysEng

Viewing tags

Use the following commands to view the tags that you have assigned to your permission set.

Example list-tags-for-resource Command for a permission set

View the tags that are assigned to a permission set by using list-tags-for-resource within the sso set of commands:

$ aws sso-admin list-tags-for-resource --resource-arn sso-resource-arn

Removing tags

Use the following commands to remove tags from a permission set.

Example untag-resource Command for a permission set

Remove tags from a permission set by using untag-resource within the sso set of commands:

$ aws sso-admin untag-resource \
> --instance-arn sso-instance-arn \
> --resource-arn sso-resource-arn \
> --tag-keys Stage CostCenter Owner

For the --tag-keys parameter, specify one or more tag keys, and do not include the tag values.

Applying tags when you create a permission set

Use the following commands to assign tags at the moment you create a permission set.

Example create-permission-set Command with tags

When you create a permission set by using the create-permission-set command, you can specify tags with the --tags parameter:

$ aws sso-admin create-permission-set \
> --instance-arn sso-instance-arn \
> --name permission=set-name \
> --tags Stage=Test,CostCenter=80432,Owner=SysEng

Manage tags using the IAM Identity Center API

You can use the following actions in the IAM Identity Center API to manage the tags for your permission set.

API actions for IAM Identity Center instance tags

Use the following API actions to assign, view, and remove tags for a permission set or instance of IAM Identity Center.