Tagging Amazon Cognito resources
A tag is a metadata label that you or AWS assigns to an AWS
resource. Each tag consists of a key and a value. For tags that you assign, you define the key and value.
For example, you might define the key as stage
and the value for one resource
as test
.
Tags help you do the following:
-
Identify and organize your AWS resources. Many AWS services support tagging, so that you can assign the same tag to resources from different services. This helps you indicate which resources are related. For example, you could assign the same tag to an Amazon Cognito user pool that you assign to an Amazon DynamoDB table.
-
Track your AWS costs. You can activate these tags on the AWS Billing and Cost Management dashboard. AWS uses cost allocation tags to categorize your costs and deliver a monthly cost allocation report to you. For more information, see Use cost allocation tags in the AWS Billing User Guide.
-
Control access to your resources based on the tags that are assigned to them. You can control access by specifying tag keys and values in the conditions for an AWS Identity and Access Management (IAM) policy. For example, you could allow a user to update a user pool only if the user pool has an
owner
tag with a value of that user's name. For more information, see Controlling access using tags in the IAM User Guide.
You can use the AWS Command Line Interface or the Amazon Cognito API to add, edit, or delete tags for both user and identity pools. You can also manage tags for user pools by using the Amazon Cognito console.
For tips on using tags, see the AWS
tagging strategies
The following sections provide more information about tags for Amazon Cognito.
Supported resources in Amazon Cognito
The following resources in Amazon Cognito support tagging:
-
User pools
-
Identity pools
Tag restrictions
The following restrictions apply to tags on Amazon Cognito resources:
-
Maximum number of tags that you can assign to a resource – 50
-
Maximum key length – 128 Unicode characters
-
Maximum value length – 256 Unicode characters
-
Valid characters for keys and values – a-z, A-Z, 0-9, space, and the following characters: _ . : / = + - @
-
Keys and values are case sensitive
-
Don't use
aws:
as a prefix for keys; it's reserved for AWS use
Managing tags using the Amazon Cognito console
You can use the Amazon Cognito console to manage the tags that are assigned to your user pools.
To add tags to a user pool
-
Navigate to the Amazon Cognito console
. If prompted, enter your AWS credentials. -
Choose User Pools.
-
Choose an existing user pool from the list, or create a user pool.
-
Choose the User pool properties tab and locate Tags.
-
Choose Add tags to add your first tag. If you have previously assigned tags to this user pool, in Manage tags, chose Add another.
-
Specify values for Tag Key and Tag Value.
-
For each additional tag that you want to add, choose Add another.
-
When you are finished adding tags, choose Save changes.
On the Manage tags page, you can also edit the keys and values of any existing tags. To remove a tag, choose Remove.
AWS CLI examples
The AWS CLI provides commands that help you manage the tags that you assign to your Amazon Cognito user pools and identity pools.
Assigning tags
Use the following commands to assign tags to your existing user pools and identity pools.
Example tag-resource
Command for user pools
Assign tags to a user pool by using tag-resource
within the cognito-idp
set
of commands:
$
aws cognito-idp tag-resource \>
--resource-arnuser-pool-arn
\>
--tagsStage=Test
This command includes the following parameters:
-
resource-arn
– The Amazon Resource Name (ARN) of the user pool that you are applying tags to. To look up the ARN, choose the user pool in the Amazon Cognito console, and view the Pool ARN value on the General settings tab. -
tags
– The key-value pairs of the tags, in the format
.key
=value
To assign multiple tags at once, specify them in a comma-separated list:
$
aws cognito-idp tag-resource \>
--resource-arnuser-pool-arn
\>
--tagsStage=Test,CostCenter=80432,Owner=SysEng
Example tag-resource
Command for identity pools
Assign tags to an identity pool by using tag-resource
within the
cognito-identity
set of commands:
$
aws cognito-identity tag-resource \>
--resource-arnidentity-pool-arn
\>
--tagsStage=Test
This command includes the following parameters:
-
resource-arn
– The Amazon Resource Name (ARN) of the identity pool that you are applying tags to. To look up the ARN, choose the identity pool in the Amazon Cognito console, and choose Edit identity pool. Then, at Identity pool ID, choose Show ARN. -
tags
– The key-value pairs of the tags, in the format
.key
=value
To assign multiple tags at once, specify them in a comma-separated list:
$
aws cognito-identity tag-resource \>
--resource-arnidentity-pool-arn
\>
--tagsStage=Test,CostCenter=80432,Owner=SysEng
Viewing tags
Use the following commands to view the tags that you have assigned to your user pools and identity pools.
Example list-tags-for-resource
Command for user pools
View the tags that are assigned to a user pool by using list-tags-for-resource
within the
cognito-idp
set of commands:
$
aws cognito-idp list-tags-for-resource --resource-arnuser-pool-arn
Example list-tags-for-resource
Command for identity pools
View the tags that are assigned to an identity pool by using list-tags-for-resource
within the
cognito-identity
set of commands:
$
aws cognito-identity list-tags-for-resource --resource-arnidentity-pool-arn
Removing tags
Use the following commands to remove tags from your user pools and identity pools.
Example untag-resource
Command for user pools
Remove tags from a user pool by using untag-resource
within the cognito-idp
set of commands:
$
aws cognito-idp untag-resource \>
--resource-arnuser-pool-arn
\>
--tag-keysStage CostCenter Owner
For the --tag-keys
parameter, specify one or more tag keys. Don't
include the tag values. Separate keys with spaces.
Example untag-resource
Command for identity pools
Remove tags from an identity pool by using untag-resource
within the
cognito-identity
set of commands:
$
aws cognito-identity untag-resource \>
--resource-arnidentity-pool-arn
\>
--tag-keysStage CostCenter Owner
For the --tag-keys
parameter, specify one or more tag keys. Don't
include the tag values.
Important
After you delete a user or identity pool, tags related to the deleted pool can still appear in the console or API calls for up to 30 days after deletion.
Applying tags when you create resources
Use the following commands to assign tags at the moment you create a user pool or identity pool.
Example create-user-pool
Command with tags
When you create a user pool by using the create-user-pool
command, you can specify tags
with the --user-pool-tags
parameter:
$
aws cognito-idp create-user-pool \>
--pool-nameuser-pool-name
\>
--user-pool-tagsStage=Test,CostCenter=80432,Owner=SysEng
Key-value pairs for tags must be in the format
.
If you are adding multiple tags, specify them in a comma-separated list.key
=value
Example create-identity-pool
Command with tags
When you create an identity pool by using the create-identity-pool
command, you can specify tags
with the --identity-pool-tags
parameter:
$
aws cognito-identity create-identity-pool \>
--identity-pool-nameidentity-pool-name
\>
--allow-unauthenticated-identities \>
--identity-pool-tagsStage=Test,CostCenter=80432,Owner=SysEng
Key-value pairs for tags must be in the format
.
If you are adding multiple tags, specify them in a comma-separated list.key
=value
Managing tags using the Amazon Cognito API
You can use the following actions in the Amazon Cognito API to manage the tags for your user pools and identity pools.
API actions for user pool tags
Use the following API actions to assign, view, and remove tags for user pools.
API actions for identity pool tags
Use the following API actions to assign, view, and remove tags for identity pools.