Tagging AWS IAM Identity Center (successor to AWS Single Sign-On) resources - AWS IAM Identity Center (successor to AWS Single Sign-On)

Tagging AWS IAM Identity Center (successor to AWS Single Sign-On) resources

A tag is a metadata label that you assign or that AWS assigns to an AWS resource. Each tag consists of a key and a value. For tags that you assign, you define the key and value. For example, you might define the key as stage and the value for one resource as test.

Tags help you do the following:

  • Identify and organize your AWS resources. Many AWS services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to a specific permission set in your IAM Identity Center instance.

  • Track your AWS costs. You activate these tags on the AWS Billing and Cost Management dashboard. AWS uses the tags to categorize your costs and deliver a monthly cost allocation report to you. For more information, see Use cost allocation tags in the AWS Billing User Guide.

  • Control access to your resources based on the tags that are assigned to the resources. You control access by specifying tag keys and values in the conditions for an AWS Identity and Access Management (IAM) policy. For example, you can allow an IAM user to update an IAM Identity Center permission set, but only if the IAM Identity Center permission set has an owner tag with a value of that user's name. For more information, see Controlling access using tags in the IAM User Guide.

Currently, you can apply tags to permission sets only. You can't apply tags to the corresponding roles that IAM Identity Center creates in AWS accounts. You can use the IAM Identity Center console, AWS CLI or the IAM Identity Center APIs to add, edit, or delete tags for a permission set.

For tips on using tags, see the AWS tagging strategies post on the AWS Answers blog.

The following sections provide more information about tags for IAM Identity Center.

Tag restrictions

The following basic restrictions apply to tags on IAM Identity Center resources:

  • The maximum number of tags that you can assign to a resource is 50.

  • The maximum key length is 128 Unicode characters.

  • The maximum value length is 256 Unicode characters.

  • Valid characters for a tag key and value are:

    a-z, A-Z, 0-9, space, and the following characters: _ . : / = + - and @

  • Keys and values are case sensitive.

  • Don't use aws: as a prefix for keys; it's reserved for AWS use

Manage tags by using the IAM Identity Center console

You can use the IAM Identity Center console to add, edit, and remove tags that are associated with your permission sets.

To manage tags for an IAM Identity Center console

  1. Open the IAM Identity Center console.

  2. Choose Permission sets.

  3. Choose the name of the permission set that has the tags you want to manage.

  4. On the Permissions tab, under Tags, do one of the following, and then proceed to the next step:

    1. If tags are already assigned for this permission set, choose Edit tags.

    2. If no tags are assigned to this permission set, choose Add tags.

  5. For each new tag, type the values in the Key and Value (optional) columns. When you are finished, choose Save changes.

To remove a tag, choose the X in the Remove column next to the tag that you want to remove.

AWS CLI examples

The AWS CLI provides commands that you can use to manage the tags that you assign to your permission set.

Assigning tags

Use the following commands to assign tags to your permission set.

Example tag-resource Command for a permission set

Assign tags to a permission set by using tag-resource within the sso set of commands:

$ aws sso tag-resource \ > --instance-arn sso-instance-arn \ > --resource-arn sso-resource-arn \ > --tags Stage=Test

This command includes the following parameters:

  • instance-arn – The Amazon Resource Name (ARN) of the IAM Identity Center instance under which the operation will be executed.

  • resource-arn – The ARN of the resource with the tags to be listed.

  • tags – The key-value pairs of the tags.

To assign multiple tags at once, specify them in a comma-separated list:

$ aws sso tag-resource \ > --instance-arn sso-instance-arn \ > --resource-arn sso-resource-arn \ > --tags Stage=Test,CostCenter=80432,Owner=SysEng

Viewing tags

Use the following commands to view the tags that you have assigned to your permission set.

Example list-tags-for-resource Command for a permission set

View the tags that are assigned to a permission set by using list-tags-for-resource within the sso set of commands:

$ aws sso list-tags-for-resource --resource-arn sso-resource-arn

Removing tags

Use the following commands to remove tags from a permission set.

Example untag-resource Command for a permission set

Remove tags from a permission set by using untag-resource within the sso set of commands:

$ aws sso untag-resource \ > --instance-arn sso-instance-arn \ > --resource-arn sso-resource-arn \ > --tag-keys Stage CostCenter Owner

For the --tag-keys parameter, specify one or more tag keys, and do not include the tag values.

Applying tags when you create a permission set

Use the following commands to assign tags at the moment you create a permission set.

Example create-permission-set Command with tags

When you create a permission set by using the create-permission-set command, you can specify tags with the --tags parameter:

$ aws sso create-permission-set \ > --instance-arn sso-instance-arn \ > --name permission=set-name \ > --tags Stage=Test,CostCenter=80432,Owner=SysEng

Manage tags using the IAM Identity Center API

You can use the following actions in the IAM Identity Center API to manage the tags for your permission set.

API actions for IAM Identity Center instance tags

Use the following API actions to assign, view, and remove tags for a permission set.