TagCertificateAuthority - AWS Private Certificate Authority


Adds one or more tags to your private CA. Tags are labels that you can use to identify and organize your AWS resources. Each tag consists of a key and an optional value. You specify the private CA on input by its Amazon Resource Name (ARN). You specify the tag by using a key-value pair. You can apply a tag to just one private CA if you want to identify a specific characteristic of that CA, or you can apply the same tag to multiple private CAs if you want to filter for a common relationship among those CAs. To remove one or more tags, use the UntagCertificateAuthority action. Call the ListTags action to see what tags are associated with your CA.


To attach tags to a private CA during the creation procedure, a CA administrator must first associate an inline IAM policy with the CreateCertificateAuthority action and explicitly allow tagging. For more information, see Attaching tags to a CA at the time of creation.

Request Syntax

{ "CertificateAuthorityArn": "string", "Tags": [ { "Key": "string", "Value": "string" } ] }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


The Amazon Resource Name (ARN) that was returned when you called CreateCertificateAuthority. This must be of the form:


Type: String

Length Constraints: Minimum length of 5. Maximum length of 200.

Pattern: arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*

Required: Yes


List of tags to be associated with the CA.

Type: Array of Tag objects

Array Members: Minimum number of 1 item. Maximum number of 50 items.

Required: Yes

Response Elements

If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.


For information about the errors that are common to all actions, see Common Errors.


The requested Amazon Resource Name (ARN) does not refer to an existing resource.

HTTP Status Code: 400


The state of the private CA does not allow this action to occur.

HTTP Status Code: 400


The tag associated with the CA is not valid. The invalid argument is contained in the message field.

HTTP Status Code: 400


A resource such as a private CA, S3 bucket, certificate, audit report, or policy cannot be found.

HTTP Status Code: 400


You can associate up to 50 tags with a private CA. Exception information is contained in the exception message field.

HTTP Status Code: 400



This example illustrates one usage of TagCertificateAuthority.

Sample Request

POST / HTTP/1.1 Host: acm-pca.amazonaws.com Accept-Encoding: identity Content-Length: 180 X-Amz-Target: ACMPrivateCA.TagCertificateAuthority X-Amz-Date: 20180226T170330Z User-Agent: aws-cli/1.14.28 Python/2.7.9 Windows/8 botocore/1.8.32 Content-Type: application/x-amz-json-1.1 Authorization: AWS4-HMAC-SHA256 Credential=Access_Key_ID/20180226/AWS_Region/acm-pca/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-target, Signature=823508ca59a8620ec0981fada8b14a1b85e1db9938103e1fe2a7c394e70b1d0b { "CertificateAuthorityArn": "arn:aws:acm-pca:AWS_Region:AWS_Account:certificate-authority/12345678-1234-1234-1234-123456789012", "Tags": [{ "Key": "Bob", "Value": "DatabaseAdmin" }] }


This example illustrates one usage of TagCertificateAuthority.

Sample Response

This function does not return a value.

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: