Tag resources on the bedrock-runtime endpoint Tag resources on the bedrock-mantle endpoint

Tagging Amazon Bedrock resources

To help you manage your Amazon Bedrock resources, you can assign metadata to each resource as tags. A tag is a label that you assign to an AWS resource. Each tag consists of a key and a value.

Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or application. For best practices and restrictions on tagging, see Tagging your AWS resources.

Tags help you to do the following:

Identify and organize your AWS resources. Many AWS resources support tagging, so you can assign the same tag to resources in different services to indicate that the resources are the same.
Allocate costs. You activate tags on the AWS Billing and Cost Management dashboard. AWS uses the tags to categorize your costs and deliver a monthly cost allocation report to you. For more information, see Use cost allocation tags in the AWS Billing and Cost Management User Guide.
Control access to your resources. You can use tags with Amazon Bedrock to create policies to control access to Amazon Bedrock resources. These policies can be attached to an IAM role or user to enable tag-based access control.

Topics

Tag resources on the bedrock-runtime endpoint
Tag resources on the bedrock-mantle endpoint

Tag resources on the `bedrock-runtime` endpoint

Resources created through the bedrock-runtime control plane (such as agents, knowledge bases, custom models, provisioned throughput, and flows) are tagged using dedicated tagging API operations.

Use the console

You can add, modify, and remove tags at any time while creating or editing a supported resource.

Use the API

To carry out tagging operations, you need the Amazon Resource Name (ARN) of the resource on which you want to carry out a tagging operation. There are two sets of tagging operations, depending on the resource for which you are adding or managing tags.

The following table summarizes the different use cases and the tagging operations to use for them:

Use case	Resource created with Amazon Bedrock API operation	Resource created with Amazon Bedrock Agents API operation	Resource created with Amazon Bedrock Data Automation API
Tag a resource	If the resource wasn't created yet, use the `tags` field when creating the resource. If the resource was already created, make a TagResource request with an Amazon Bedrock control plane endpoint.	If the resource wasn't created yet, use the `tags` field when creating the resource. If the resource was already created, make a TagResource request with an Agents for Amazon Bedrock build-time endpoint.	If the resource wasn't created yet, use the `tags` field when creating the resource. If the resource was already created, make a TagResource request with an Amazon Bedrock Data Automation Build time Endpoint.
Untag a resource	Make an UntagResource request with an Amazon Bedrock control plane endpoint.	Make an UntagResource request with an Agents for Amazon Bedrock build-time endpoint.	Make an UntagResource request with an Amazon Bedrock Data Automation Build time Endpoint.
List tags for a resource	Make a ListTagsForResource request with an Amazon Bedrock control plane endpoint.	Make a ListTagsForResource request with an Agents for Amazon Bedrock build-time endpoint.	Make a ListTagsForResource request with an Amazon Bedrock Data Automation Build time Endpoint.

Note

When viewing these operations in CloudTrail, you can identify the specific resource being tagged by checking the request parameters in the event details.

Choose a tab to see code examples in an interface or language.

Tag resources on the `bedrock-mantle` endpoint

The bedrock-mantle endpoint supports tagging projects, customized models, and reservations. Unlike the bedrock-runtime control plane, bedrock-mantle does not expose dedicated TagResource, UntagResource, or ListTagsForResource API operations. Instead, you set and read tags inline through the resource APIs.

Setting tags

Action	API call	Tag fields
Create a project with tags	`POST /v1/organization/projects`	`tags`
Add or remove tags on an existing project	`POST /v1/organization/projects/{project_id}`	`add_tags`, `remove_tag_keys`, `tags`
Create a customized model with tags	Customized-model create endpoint	`tags`
Update tags on a customized model	Customized-model update endpoint	`add_tags`, `remove_tag_keys`
Create a reservation with tags	Reservation create endpoint	`tags`
Update tags on a reservation	Reservation update endpoint	`add_tags`, `remove_tag_keys`

Tags are returned inline on Get and List responses for these resources.

IAM actions

Although there are no dedicated tagging endpoints, the following IAM actions are evaluated when you set, change, or read tags on bedrock-mantle resources. You can write IAM policies using these action names and the aws:RequestTag, aws:TagKeys, and aws:ResourceTag condition keys to control tag-based access.

bedrock-mantle:TagResource
bedrock-mantle:UntagResource
bedrock-mantle:ListTagsForResource

Example

The following example creates a project with two tags using curl:


curl -X POST https://bedrock-mantle.us-east-1.api.aws/v1/organization/projects \
    -H "Authorization: Bearer $BEDROCK_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "name": "billing-experiments",
      "tags": {
        "department": "billing",
        "facing": "internal"
      }
    }'

The following example adds one tag and removes another from an existing project:


curl -X POST https://bedrock-mantle.us-east-1.api.aws/v1/organization/projects/proj_abc123 \
    -H "Authorization: Bearer $BEDROCK_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "add_tags": { "owner": "alice" },
      "remove_tag_keys": ["facing"]
    }'

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

[Example] Create a rule to handle Amazon Bedrock state change events

CloudFormation