← All posts
2 min read

Tag an IAM user

#aws#cli#iam#security#identity
📑 On this page

Part 85 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

IAM tags support inventory, automation, and attribute-based access control. They are not comments; policies can make decisions from them.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

aws iam tag-user \
  --user-name "$USER_NAME" \
  --tags Key=Environment,Value=training Key=Owner,Value=aws-zero

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam list-user-tags \
  --user-name "$USER_NAME" \
  --query "Tags[].{Key:Key,Value:Value}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam tag-user \
  --user-name "$USER_NAME" \
  --tags Key=Environment,Value=sandbox

Reusing an existing tag key updates its value.

Common mistake

Before changing a tag, check whether IAM policies use it in conditions. A metadata edit can change effective access in an ABAC design.

Cleanup

aws iam untag-user \
  --user-name "$USER_NAME" \
  --tag-keys Environment Owner

Remove only the tags introduced by this lesson.

Next, we will learn Query IAM user tags.

Official AWS CLI reference