Amazon Elastic Compute Cloud
CLI Reference (API Version 2015-10-01)



Adds or overwrites one or more tags for the specified resource or resources. Each resource can have a maximum of 10 tags. Each tag consists of a key and optional value. Tag keys must be unique per resource.

For more information, see Tagging Your Resources in the Amazon EC2 User Guide for Linux Instances.

The short version of this command is ec2addtag.


If you are using the AWS CLI, see create-tags instead.


ec2-create-tags resource_id [resource_id ...] --tag key[=value] [--tag key[=value] ...]




The IDs of one or more resources to tag.

Type: String

Default: None

Required: Yes

Example: ami-1a2b3c4d

--tag key or key=value

The key and optional value of the tag, separated by an equals sign (=). If you don't include a value, we set the value to an empty string.

If you're using the command line tools on a Windows system, you might need to use quotation marks (for example, "key=value"). If you're using Windows Powershell, you might need to use a second set of quotation marks, escaped with backticks (for example, "`"key=value`"").

Type: String

Default: None

Constraints: The maximum tag key length is 127 Unicode characters, and may not begin with aws:. The maximum tag value length is 255 Unicode characters. Tag keys and values are case-sensitive.

Required: Yes

Example: --tag "stack=Production"

Common Options


--region region

The region. Overrides the default region, the region specified by the EC2_URL environment variable, and the URL specified by the -U option.

Default: The region specified by the EC2_URL environment variable, or us-east-1 if EC2_URL isn't set.

-U, --url url

The uniform resource locator (URL) of the Amazon EC2 web service entry point.

Default: The endpoint specified by the EC2_URL environment variable, or if EC2_URL isn't set.

-O, --aws-access-key aws_access_key_id

Your access key ID. For more information, see Tell the Tools Who You Are.

Default: The value of the AWS_ACCESS_KEY environment variable. If AWS_ACCESS_KEY isn't set, you must specify this option.


-W, --aws-secret-key aws_secret_access_key

Your secret access key.

Default: The value of the AWS_SECRET_KEY environment variable. If AWS_SECRET_KEY isn't set, you must specify this option.


-T, --security-token delegation_token

The delegation token to pass along to the AWS request. This is only required when you are using temporary security credentials. For more information, see Using Temporary Security Credentials.

Default: The value of the AWS_DELEGATION_TOKEN environment variable (if set).

Example: -T AQoDYXdzEJr...<remainder of security token>

--connection-timeout timeout

The connection timeout, in seconds.

Example: --connection-timeout 30

--request-timeout timeout

The request timeout, in seconds.

Example: --request-timeout 45

-H, --headers

Includes column headers in the command output.


Shows empty columns as (nil).


Omits tags for tagged resources.


Displays internal debugging information. This can assist us when helping you troubleshooting problems.

-D, --auth-dry-run

Checks whether you have the required permissions for the command, without actually running the command. If you have the required permissions, the command returns DryRunOperation; otherwise, it returns UnauthorizedOperation.

-v, --verbose

Displays verbose output, including the API request and response on the command line. This is useful if you are building tools to talk directly to the Query API.


Reads arguments from standard input. This is useful when piping the output from one command to the input of another.

Example: ec2-describe-instances | grep stopped | cut -f 2 | ec2-start-instances -

-?, --help, -h

Displays usage information for the command.

Deprecated Options

We have deprecated the SOAP API for Amazon EC2. For more information, see SOAP Requests. From version onwards of the Amazon EC2 CLI tools, the private key (-K, --private-key) and X.509 certificate (-C, --cert) options are not supported. Use your access key ID (-O, --aws-access-key) and secret access key (-W, --aws-secret-key) instead. For more information, see Setting Up the Amazon EC2 CLI and AMI Tools.


-K, --private-key ec2_private_key

The private key to use when constructing requests to Amazon EC2.

Default: The value of the EC2_PRIVATE_KEY environment variable.


-C, --cert ec2_cert

The X.509 certificate to use when constructing requests to Amazon EC2.

Default: The value of the EC2_CERT environment variable.



This command returns a table that contains the following information:

  • The TAG identifier

  • The resource type identifier

  • The ID of the resource

  • The tag key

  • The tag value

Amazon EC2 command line tools display errors on stderr.


Example 1

This example command adds (or overwrites) two tags for an AMI and an instance. One of the tags contains just a key (webserver), with no value (we set the value to an empty string). The other tag consists of a key (stack) and value (Production).

PROMPT> ec2-create-tags ami-1a2b3c4d i-7d3e5a2f --tag webserver --tag "stack=Production"
TAG  image  ami-1a2b3c4d  webserver
TAG  image  ami-1a2b3c4d  stack  Production
TAG  instance  i-7d3e5a2f  webserver
TAG  instance  i-7d3e5a2f  stack  Production

Example 2

The following example changes the value of the stack tag for one of your AMIs from Production to Test.

PROMPT>  ec2-create-tags ami-1a2b3c4d  --tag "stack=Test"
TAG  ami-1a2b3c4d  image  stack  Test

Related Topics

Setting Up

IAM Policies

You can create an IAM policy to grant users permission to use this command. For more information, see IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.

Related Action