Menu
AWS Management Console
Getting Started Guide (Version 1.0)

Obtaining Permissions for Resource Groups and Tag Editor

Note

This content describes legacy Resource Groups. For information about the new AWS Resource Groups service, see the AWS Resource Groups User Guide. The managed policies that are used for legacy Resource Groups, ResourceGroupsandTagEditorFullAccess and ResourceGroupsandTagEditorReadOnlyAccess, do not grant access to the new AWS Resource Groups service.

To make full use of Resource Groups and Tag Editor, you might need additional permissions to tag resources or to see a resource's tag keys and values. These permissions fall into two categories:

  • Permissions for individual services so that you can tag resources from those services and include them in resource groups

  • Permissions that are required to use the Resource Groups and Tag Editor consoles

If you need additional permissions, contact your administrator and request the permissions that you need.

If you are an administrator, you can provide permissions for your users by creating policies through the AWS Identity and Access Management (AWS IAM) service. You first create IAM users or groups, and then apply the policies with the permissions that they need. For general information about creating and attaching IAM policies, see Working with Policies.

Permissions for Individual Services

Important

This section describes permissions required for individual services if you want to tag resources from those services' consoles and APIs and include them in resource groups.

As explained in How Resource Groups Work, each resource group represents a collection of resources that share one or more tag keys or values. In order to add tags to a resource, you need the necessary permissions for the service that the resource belongs to. For example, if you want to tag Amazon EC2 instances, your administrator must give you permissions to the tagging actions in that service's API, such as those listed in the Amazon EC2 user guide.

In addition, to make full use of the Resource Groups feature, you need other permissions that allow you to access a service's console and interact with the resources there. For examples of such policies for Amazon EC2, see Example Policies for Working in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances.

Granting Permissions for Using Resource Groups and Tag Editor

Important

This section describes permissions that are required if you want to tag resources via the the Resource Groups and Tag Editor consoles and Resource Groups Tagging APIs.

If you want to tag resources that belong to AWS services from those services' individual consoles or APIs, see the above section - Permissions for Individual Services.

If you’re an administrator, you can grant permissions to others to use Resource Groups and Tag Editor. To do that, you create and attach IAM policies to users, groups, or roles. For information about creating and working with users, groups, and roles, see Identities (Users, Groups, and Roles) in the IAM User Guide. To attach a policy for Resources Groups and Tag Editor, see the following procedures.

Using AWS Managed Policies for Resource Groups and Tag Editor

The easiest way to attach a policy is to use one of the AWS managed policies found in the AWS Management Console. It provides a full-access policy as well as a read-only policy for the Resource Groups and Tag Editor services. For more information about managed IAM policies, see Managed Policies and Inline Policies in the IAM User Guide.

To attach a Resource Groups and Tag Editor policy to an IAM user or group

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the Filter: Policy Type search box, start typing ResourceGroupsandTagEditor to display the Resource Groups and Tag Editor policies.

  4. Select the check box next to the policy that you want:

    • ResourceGroupsand­TagEditorReadOnlyAccess allows users to access and use Resource Groups and Tag Editor but does not allow them to edit tags in the Tag Editor.

       

    • ResourceGroupsandTagEditorFullAccess allows users complete use of all Resource Groups and Tag Editor features.

  5. Choose Policy Actions, and then choose Attach.

  6. Select the check box next to the name of each user or group that you want the policy to apply to, and then choose Attach policy.

Creating Your Own IAM Policies for Resource Groups and Tag Editor

If the built-in IAM policies (known as AWS managed policies) for Resource Groups and Tag Editor do not meet your needs, you can create your own. For information about creating IAM policies, see Overview of IAM Policies. Then use the following examples of IAM policies as a guide to creating the policies that you need.

The tag:getResources permission is required to list resources that share a particular tag, such as when viewing a Resource Group or searching for resources in Tag Editor. You could grant this permission by using a policy like the following:

{ "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Action" : "tag:GetResources", "Resource" : "*" }] }

Additional permissions are required to get full use of the Resource Groups and Tag Editors consoles. The tag:getTagKeys and tag:getTagValues permissions allow you to see existing tag keys and values for resources in your account. You can grant both permissions by using a policy like the following:

{ "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Action" : [ "tag:GetTagKeys", "tag:GetTagValues" ], "Resource" : "*" }] }

To use these consoles to add and remove tags, you need the permissions in the following policy:

{ "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Action" : [ "tag:AddResourceTags", "tag:RemoveResourceTags", "tag:TagResources", "tag:UntagResources" ], "Resource" : "*" }] }

Finally, the following policy ensures that users have access to all features of Resource Groups and Tag Editor.

{ "Version" : "2012-10-17", "Statement" : [{ "Effect" : "Allow", "Action" : "tag:*", "Resource" : "*" }] }