Adding tags to your private CA - AWS Certificate Manager Private Certificate Authority

Adding tags to your private CA

Tags are words or phrases that act as metadata for identifying and organizing AWS resources. Each tag consists of a key and a value. You can use the ACM Private CA console, AWS Command Line Interface (AWS CLI), or the PCA API to add, view, or remove tags for private CAs.

You can add custom tags to your private CA at any time. For example, you could tag private CAs with key-value pairs like Environment=Prod or Environment=Beta to identify which environment the CA is intended for. You can add tags to a CA during creation or anytime after. For more information, see Create a Private CA.

Other AWS resources also support tagging. You can assign the same tag to different resources to indicate whether those resources are related. For example, you can assign a tag such as Website=example.com to your CA, the Elastic Load Balancing load balancer, and other related resources. For more information on tagging AWS resources, see Tagging your Amazon EC2 Resources in the Amazon EC2 User Guide for Linux Instances.

The following basic restrictions apply to ACM Private CA tags:

  • The maximum number of tags per private CA is 50.

  • The maximum length of a tag key is 128 characters.

  • The maximum length of a tag value is 256 characters.

  • The tag key and value can contain the following characters: A-Z, a-z, and .:+=@_%-(hyphen).

  • Tag keys and values are case-sensitive.

  • The aws: and rds: prefixes are reserved for AWS use; you cannot add, edit, or delete tags whose key begins with aws: or rds:. Default tags that begin with aws: and rds: do not count against your tags-per-resource quota.

  • If you plan to use your tagging schema across multiple services and resources, remember that other services might have different restrictions for allowed characters. Refer to the documentation for that service.

  • ACM Private CA tags are not available for use in the AWS Management Console' Resource Groups and Tag Editor in the AWS Management Console.

You can tag a private CA from the ACM Private CA Console, the AWS Command Line Interface (AWS CLI), or the ACM Private CA API.

To tag a private CA (console)

  1. Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home.

  2. On the Private certificate authories page, choose your private CA from the list.

  3. In the details area below the list, choose the Tags tab. A list of existing tags is displayed.

  4. Choose Manage tags.

  5. Choose Add new tag.

  6. Type a key and value pair.

  7. Choose Save.

To tag a private CA (AWS CLI)

Use the tag-certificate-authority command to add tags to your private CA.

$ aws acm-pca tag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --tags Key=Admin,Value=Alice

Use the list-tags command to list the tags for a private CA.

$ aws acm-pca list-tags \ --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID \ --max-results 10

Use the untag-certificate-authority command to remove tags from a private CA.

$ aws acm-pca untag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:aregion:account:certificate-authority/CA_ID \ --tags Key=Purpose,Value=Website