AWS Identity and Access Management
User Guide

IAM: Add a Specific Tag to a User With a Specific Tag

This example shows how you might create a policy that allows adding the tag key Department with the tag values Marketing, Development, or QualityAssurance to an IAM user. That user must already include the tag key–value pair JobFunction = manager. You can use this policy to require that a manager belong to only one of three departments. This policy also grants the permissions necessary to complete this action on the console. To use this policy, replace the red italicized text in the example policy with your own information.

The ListTagsForAllUsers statement allows the viewing of tags for all users in your account.

The first condition in the TagManagerWithSpecificDepartment statement uses the StringEquals condition operator. The condition returns true if both parts of the condition are true. The user to be tagged must already have the JobFunction=Manager tag. The request must include the Department tag key with one of the listed tag values.

The second condition uses the ForAllValues:StringEquals condition operator. The condition returns true if all of the tag keys in the request match the key in the policy. This means that the only tag key in the request must be Department. For more information about using ForAllValues, see Creating a Condition That Tests Multiple Key Values (Set Operations).

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListTagsForAllUsers", "Effect": "Allow", "Action": [ "iam:ListUserTags", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "TagManagerWithSpecificDepartment", "Effect": "Allow", "Action": "iam:TagUser", "Resource": "*", "Condition": {"StringEquals": { "iam:ResourceTag/JobFunction": "Manager", "aws:RequestTag/Department": [ "Marketing", "Development", "QualityAssurance" ] }, "ForAllValues:StringEquals": {"aws:TagKeys": "Department"} } } ] }