IAM: Add a specific tag to a user with a specific tag
This example shows how you might create an identity-based policy that allows adding the tag key Department with the tag
values Marketing, Development, or QualityAssurance to
an IAM user. That user must already include the tag key–value pair
JobFunction = manager. You can use this policy to require that a manager
belong to only one of three departments. This policy defines permissions for programmatic and console access. To use this policy, replace the italicized placeholder text in the example policy with your own information.
Then, follow the directions in create a policy or edit a policy.
The ListTagsForAllUsers statement allows the viewing of tags for all users in
your account.
The first condition in the TagManagerWithSpecificDepartment statement uses the
StringEquals condition operator. The condition returns true if both parts
of the condition are true. The user to be tagged must already have the
JobFunction=Manager tag. The request must include the
Department tag key with one of the listed tag values.
The second condition uses the ForAllValues:StringEquals condition operator.
The condition returns true if all of the tag keys in the request match the key in the
policy. This means that the only tag key in the request must be Department. For
more information about using ForAllValues, see Multivalued
context keys.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListTagsForAllUsers", "Effect": "Allow", "Action": [ "iam:ListUserTags", "iam:ListUsers" ], "Resource": "*" }, { "Sid": "TagManagerWithSpecificDepartment", "Effect": "Allow", "Action": "iam:TagUser", "Resource": "*", "Condition": {"StringEquals": { "iam:ResourceTag/JobFunction": "Manager", "aws:RequestTag/Department": [ "Marketing", "Development", "QualityAssurance" ] }, "ForAllValues:StringEquals": {"aws:TagKeys": "Department"} } } ] }
