Jump to Content

This API Documentation is now deprecated

We are excited to announce our new API Documentation.

Class TagRoleCommandProtected

Adds one or more tags to an IAM role. The role can be a regular role or a service-linked role. If a tag with the same key name already exists, then that tag is overwritten with the new value.

A tag consists of a key name and an associated value. By assigning tags to your resources, you can do the following:

  • Administrative grouping and discovery - Attach tags to resources to aid in organization and search. For example, you could search for all resources with the key name Project and the value MyImportantProject. Or search for all resources with the key name Cost Center and the value 41200.

  • Access control - Include tags in IAM user-based and resource-based policies. You can use tags to restrict access to only an IAM role that has a specified tag attached. You can also restrict access to only those resources that have a certain tag attached. For examples of policies that show how to use tags to control access, see Control access using IAM tags in the IAM User Guide.

  • Cost allocation - Use tags to help track which individuals and teams are using which Amazon Web Services resources.

  • If any one of the tags is invalid or if you exceed the allowed maximum number of tags, then the entire request fails and the resource is not created. For more information about tagging, see Tagging IAM resources in the IAM User Guide.

  • Amazon Web Services always interprets the tag Value as a single string. If you need to store an array, you can store comma-separated values in the string. However, you must interpret the value in your code.

For more information about tagging, see Tagging IAM identities in the IAM User Guide.


Use a bare-bones client and the command you need to make an API call.

import { IAMClient, TagRoleCommand } from "@aws-sdk/client-iam"; // ES Modules import
// const { IAMClient, TagRoleCommand } = require("@aws-sdk/client-iam"); // CommonJS import
const client = new IAMClient(config);
const input = { // TagRoleRequest
RoleName: "STRING_VALUE", // required
Tags: [ // tagListType // required
{ // Tag
Key: "STRING_VALUE", // required
Value: "STRING_VALUE", // required
const command = new TagRoleCommand(input);
const response = await client.send(command);
// {};







ConcurrentModificationException (client fault)

The request was rejected because multiple requests to change this object were submitted simultaneously. Wait a few minutes and submit your request again.


InvalidInputException (client fault)

The request was rejected because an invalid or out-of-range value was supplied for an input parameter.


LimitExceededException (client fault)

The request was rejected because it attempted to create resources beyond the current Amazon Web Services account limits. The error message describes the limit exceeded.


NoSuchEntityException (client fault)

The request was rejected because it referenced a resource entity that does not exist. The error message describes the resource.


ServiceFailureException (server fault)

The request processing has failed because of an unknown error, exception or failure.



Base exception class for all service exceptions from IAM service.


To add a tag key and value to an IAM role

// The following example shows how to add tags to an existing role.
const input = {
"RoleName": "taggedrole",
"Tags": [
"Key": "Dept",
"Value": "Accounting"
"Key": "CostCenter",
"Value": "12345"
const command = new TagRoleCommand(input);
await client.send(command);
// example id: to-add-a-tag-key-and-value-to-an-iam-role-1506718791513