Menu
Sign In to the Console
AWS Management Console
Getting Started Guide (Version 1.0)

Obtaining Permissions for Resource Groups

To make full use of Resource Groups and Tag Editor, you might need additional permissions to tag resources as well as to see all of a resource's tag keys and values. These permissions fall into two categories:

  • Permissions for individual services so that you can tag resources from those services and include them in resource groups

  • Permissions that are required to use the Resource Groups and Tag Editor consoles

If you need additional permissions, contact your administrator and request the permissions you need.

If you are an administrator, you can provide permissions for your users by creating policies through the AWS Identity and Access Management (AWS IAM) service. You first create IAM users or groups and then apply the policies with the permissions they need. For general information about creating and attaching IAM policies, see Managing IAM Policies.

Permissions for Individual Services

As explained in How Resource Groups Work, each resource group represents a collection of resources that share one or more tag keys or values. In order to add tags to a resource, you need the necessary permissions for the service that the resource belongs to. For example, if you want to tag Amazon EC2 instances, your administrator must give you permissions to the tagging actions in that service's API, such as those listed in the Amazon EC2 user guide.

In addition, to make full use of the Resource Groups feature, you need other permissions that allow you to access a service's console and interact with the resources there. For examples of such policies for Amazon EC2, see Example Policies for Working in the Amazon EC2 Console in the Amazon EC2 User Guide for Linux Instances.

Permissions for Using the Resource Groups and Tag Editor Consoles

If you’re an administrator, you can use the IAM service to create users and groups and create and attach policies that provide access to Resource Groups and Tag Editor. For information about creating and working with users and groups, see IAM Users and Groups in the IAM User Guide guide.

Once you have created the users and groups that you need, you can create and attach policies that provide access to Resource Groups and Tag Editor.

Using AWS Managed Policies for Resource Groups and Tag Editor

The easiest way to do this is to use one of the AWS managed policies found in the AWS Management Console. You'll find a full-access policy as well as a read-only policy for these services. For more information on managed IAM policies, see Managed Policies and Inline Policies in the IAM User Guide guide.

To apply a Resource Groups and Tag Editor policy to an IAM user or group

  1. Sign in to the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, click Users or Groups, depending on how you want to apply the policy.

  3. In the list click the user name or the group name that will receive the new policy.

  4. Under Permissions, click Attach Policy.

  5. In the Policy Type search box, start typing ResourceGroupsandTagEditor to display the Resource Groups and Tag Editor policies.

  6. Select the check box for the desired policy:

    • ResourceGroupsand­TagEditorReadOnlyAccess allows users to access and use Resource Groups and Tag Editor but does not allow them to edit tags in the Tag Editor.

    • ResourceGroupsandTagEditorFullAccess allows users complete use of all Resource Groups and Tag Editor features.

  7. Click Attach Policy.

Creating Your Own IAM Policies for Resource Groups and Tag Editor

If the built-in IAM policies for Resource Groups and Tag Editor do not meet your needs, you can create your own. For information about creating IAM policies, see Overview of IAM Policies. Then use the following examples of IAM policies as a guide to creating the policies you need.

The tag:getResources permission is required to list resources that share a particular tag, such as when viewing a Resource Group or searching for resources in Tag Editor. You could grant this permission by using a policy like the following:

{   
    "Version" : "2012-10-17",   
    "Statement" : [{      
       "Effect" : "Allow",      
       "Action" : "tag:getResources",      
       "Resource" : "*"      
    }] 
}

Additional permissions are required to get full use of the Resource Groups and Tag Editors consoles. The tag:getTagKeys and tag:getTagValues permissions allow you to see existing tag keys and values for resources in your account. You can grant both permissions by using a policy like the following:

{   
    "Version" : "2012-10-17",   
    "Statement" : [{      
       "Effect" : "Allow",      
       "Action" : [
          "tag:getTagKeys",
          "tag:getTagValues"
      ],
       "Resource" : "*"      
    }] 
}

To use these consoles to add and remove tags, you need the permissions in the following policy:

{   
    "Version" : "2012-10-17",   
    "Statement" : [{      
       "Effect" : "Allow",      
       "Action" : [
          "tag:addResourceTags",
          "tag:removeResourceTags"
      ],
       "Resource" : "*"      
    }] 
}

Finally, the following policy ensures that users have access to all features of Resource Groups and Tag Editor.

{   
    "Version" : "2012-10-17",
    "Statement" : [{
       "Effect" : "Allow",
       "Action" : "tag:*",
       "Resource" : "*"
    }] 
}