Tag an IAM user
📑 On this page
Part 85 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
IAM tags support inventory, automation, and attribute-based access control. They are not comments; policies can make decisions from them.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
aws iam tag-user \
--user-name "$USER_NAME" \
--tags Key=Environment,Value=training Key=Owner,Value=aws-zeroIAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam list-user-tags \
--user-name "$USER_NAME" \
--query "Tags[].{Key:Key,Value:Value}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam tag-user \
--user-name "$USER_NAME" \
--tags Key=Environment,Value=sandboxReusing an existing tag key updates its value.
Common mistake
Before changing a tag, check whether IAM policies use it in conditions. A metadata edit can change effective access in an ABAC design.
Cleanup
aws iam untag-user \
--user-name "$USER_NAME" \
--tag-keys Environment OwnerRemove only the tags introduced by this lesson.
Next, we will learn Query IAM user tags.