Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Permissions/ Policies and Permissions/ Using Tags to Control Access to IAM Users and Trust Agencies
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Using Tags to Control Access to IAM Users and Trust Agencies

Tags can be attached to IAM resources or the principals that are making the request, or passed in the request.

An IAM user or trust agency can be both a resource and principal.

For example, you can write an identity policy that only allows IAM users tagged type=employee to query the group membership. In this example, an IAM user can view all user groups under the account as long as the user is tagged type=employee.

To control access based on tags, you need to provide tag information in the Condition element of an identity policy. When creating an IAM identity policy, you can use IAM tags and associated tag condition keys to control access to any of the following:

  • Resource: Control access to IAM users or trust agencies based on their tags. To do this, use g:ResourceTag/<tag-key> to specify which tag key-value pair must be attached to the resource.
  • Request: If a tag is included in an API calling request (for example, calling the API for tagging a resource during or after the resource creation), the request contains g:RequestTag to control what tags can be included. To do this, use the g:RequestTag/<tag-key> condition key to specify the tags that can be added, modified, or deleted from IAM users or trust agencies.
  • Principal: Control what actions are allowed to be performed by the principal (IAM user or trust agency) based on the tags attached to the principal. To do this, use the g:PrincipalTag/<tag-key> condition key to specify the tags that must be attached to the principal to allow for the request.
  • Authorization: Use the g:TagKeys condition key to control whether specific tag keys can be used in a request. If a tag is included in an API calling request (for example, calling the API for tagging a resource during or after the resource creation), the request contains g:TagKeys, which refers to a list of tag keys.

Controlling Access for IAM Principals

You can control what actions the principal is allowed to perform based on the tags attached to the principal.

The following example shows how to create an identity policy that allows IAM users or trust agencies tagged type=employee to view the group membership of the account:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam:users:listUsersV5"
		],
		"Condition": {
			"StringEquals": {
				"g:PrincipalTag/type": [
					"employee"
				]
			}
		}
	}]
}

Controlling Tag Keys Added to IAM Users or Trust Agencies

You can use tags in IAM identity policies to control whether specific tag keys can be used in a request or by a principal.

The following example shows that IAM users are only allowed to create tags whose tag key is visible:

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"iam::tagForResourceV5"
		],
		"Condition": {
			"ForAnyValue:StringEquals": {
				"g:TagKeys": [
					"visible"
				]
			}
		}
	}]
}
Parent topic: Policies and Permissions