Add tags for your private CA
Tags are words or phrases that act as metadata for identifying and organizing AWS resources. Each tag consists of a key and a value. You can use the AWS Private CA console, AWS Command Line Interface (AWS CLI), or the PCA API to add, view, or remove tags for private CAs.
You can add or remove custom tags for your private CA at any time. For example, you
could tag private CAs with key-value pairs like Environment=Prod
or
Environment=Beta
to identify which environment the CA is intended for.
For more information, see Create a Private CA.
Note
To attach tags to a private CA during the creation procedure, a CA administrator must
first associate an inline IAM policy with the CreateCertificateAuthority
action and explicitly allow
tagging. For more information, see Tag-on-create: Attaching tags to a CA at the time of
creation.
Other AWS resources also support tagging. You can assign the same tag to different
resources to indicate that those resources are related. For example, you can assign a
tag such as Website=example.com
to your CA, the Elastic Load Balancing load balancer, and
other related resources. For more information on tagging AWS resources, see Tagging
your Amazon EC2 Resources in the Amazon EC2 User Guide.
The following basic restrictions apply to AWS Private CA tags:
-
The maximum number of tags per private CA is 50.
-
The maximum length of a tag key is 128 characters.
-
The maximum length of a tag value is 256 characters.
-
The tag key and value can contain the following characters: A-Z, a-z, and .:+=@_%-(hyphen).
-
Tag keys and values are case-sensitive.
-
The
aws:
andrds:
prefixes are reserved for AWS use; you cannot add, edit, or delete tags whose key begins withaws:
orrds:
. Default tags that begin withaws:
andrds:
do not count against your tags-per-resource quota. -
If you plan to use your tagging schema across multiple services and resources, remember that other services might have different restrictions for allowed characters. Refer to the documentation for that service.
-
AWS Private CA tags are not available for use in the Resource Groups and Tag Editor
in the AWS Management Console.
You can tag a private CA from the AWS Private CA
Console
To tag a private CA (console)
-
Sign in to your AWS account and open the AWS Private CA console at https://console.aws.amazon.com/acm-pca/home
. -
On the Private certificate authorities page, choose your private CA from the list.
-
In the details area below the list, choose the Tags tab. A list of existing tags is displayed.
-
Choose Manage tags.
-
Choose Add new tag.
-
Type a key and value pair.
-
Choose Save.
To tag a private CA (AWS CLI)
Use the tag-certificate-authority command to add tags to your private CA.
$
aws acm-pca tag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:
region
:account
:certificate-authority/CA_ID
\ --tags Key=Admin
,Value=Alice
Use the list-tags command to list the tags for a private CA.
$
aws acm-pca list-tags \ --certificate-authority-arn arn:aws:acm-pca:
region
:account
:certificate-authority/CA_ID
\ --max-results 10
Use the untag-certificate-authority command to remove tags from a private CA.
$
aws acm-pca untag-certificate-authority \ --certificate-authority-arn arn:aws:acm-pca:
aregion
:account
:certificate-authority/CA_ID
\ --tags Key=Purpose
,Value=Website