# Working with domains in CodeArtifact
CodeArtifact *domains* make it easier to manage multiple repositories across an organization. You can use a domain to apply permissions across many repositories owned by different AWS accounts. An asset is stored only once in a domain, even if it's available from multiple repositories.
Although you can have multiple domains, we recommend a single production domain that contains all published artifacts so that your development teams can find and share packages. You can use a second preproduction domain to test changes to the production domain configuration.
These topics describe how to use the CodeArtifact console, the AWS CLI, and CloudFormation to create or configure CodeArtifact domains.
**Topics**
+ [Domain overview](domain-overview.md)
+ [Create a domain](domain-create.md)
+ [Delete a domain](delete-domain.md)
+ [Domain policies](domain-policies.md)
+ [Tag a domain](tag-domains.md)
# Domain overview
When you're working with CodeArtifact, domains are useful for the following:
+ **Deduplicated storage**: An asset only needs to be stored once in a domain, even if it's available in 1 or 1,000 repositories. That means you only pay for storage once.
+ **Fast copying**: When you pull packages from an upstream CodeArtifact repository into a downstream or use the [CopyPackageVersions API](copy-package.md), only metadata records must be updated. No assets are copied. This makes it fast to set up a new repository for staging or testing. For more information, see [Working with upstream repositories in CodeArtifact](repos-upstream.md).
+ **Easy sharing across repositories and teams**: All of the assets and metadata in a domain are encrypted with a single AWS KMS key (KMS key). You don't need to manage a key for each repository or grant multiple accounts access to a single key.
+ **Apply policy across multiple repositories**: The domain administrator can apply policy across the domain. This includes restricting which accounts have access to repositories in the domain, and who can configure connections to public repositories to use as sources of packages. For more information, see [Domain policies](domain-policies.md).
+ **Unique repository names**: The domain provides a namespace for repositories. Repository names only need to be unique within the domain. You should use meaningful names that are easy to understand.
Domain names must be unique within an account.
You cannot create a repository without a domain. When you use the [CreateRepository](create-repo.md) API to create a repository, you must specify a domain name. You cannot move a repository from one domain to another.
A repository can be owned by the same AWS account that owns the domain, or a different account. If the owning accounts are different, the repository-owning account must be granted the `CreateRepository` permission on the domain resource. You can do this by adding a resource policy to the domain using the [PutDomainPermissionsPolicy](domain-policies.md#set-domain-policy) command.
Although an organization can have multiple domains, the recommendation is to have a single production domain that contains all published artifacts so that development teams can find and share packages across their organization. A second pre-production domain can be useful for testing changes to the production domain configuration.
## Cross-account domains
Domain names only need to be unique within an account, which means there could be multiple domains within a region that have the same name. Because of this, if you want to access a domain that is owned by an account you are not authenticated to, you must provide the domain owner ID along with the domain name in both the CLI and the console. See the following CLI examples.
**Access a domain owned by an account you are authenticated to:**
When accessing a domain within the account you're authenticated to, you only need to specify the domain name. The following example lists packages in the *my\$1repo* repository in the *my\$1domain* domain that is owned by your account.
```
aws codeartifact list-packages --domain my_domain --repository my_repo
```
**Access a domain owned by an account that you are not authenticated to:**
When accessing a domain that is owned by an account that you're not authenticated to, you need to specify the domain owner as well as the domain name. The following example lists packages in the *other-repo* repository in the *other-domain* domain that is owned by an account that you are not authenticated to. Notice the addition of the `--domain-owner` parameter.
```
aws codeartifact list-packages --domain other-domain --domain-owner 111122223333 --repository other-repo
```
## Types of AWS KMS keys supported in CodeArtifact
CodeArtifact supports only [symmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#symmetric-cmks). You can't use an [asymmetric KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks) to encrypt your CodeArtifact domains. For more information, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html). To learn how to create a new customer managed key, see [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
CodeArtifact supports AWS KMS External Key Stores (XKS). You are responsible for the availability, durability, and latency of key operations with XKS keys, which can affect availability, durability, and latency with CodeArtifact. Some examples of effects of using XKS keys with CodeArtifact:
+ Because every asset of a requested package and all of its dependencies is subject to decryption latency, build latency can be increased substantially with an increase in XKS operation latency.
+ Because all assets are encrypted in CodeArtifact, a loss of XKS key materials will result in a loss of all assets associated with the domain using the XKS key.
For more information about XKS keys, see [External key stores](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) in the *AWS Key Management Service Developer Guide*.
# Create a domain
You can create a domain using the CodeArtifact console, the AWS Command Line Interface (AWS CLI), or CloudFormation. When you create a domain, it does not contain any repositories. For more information, see [Create a repository](create-repo.md). For more information about managing CodeArtifact domains with CloudFormation, see [Creating CodeArtifact resources with AWS CloudFormation](cloudformation-codeartifact.md).
**Topics**
+ [Create a domain (console)](#create-domain-console)
+ [Create a domain (AWS CLI)](#create-domain-cli)
+ [Example AWS KMS key policy](#create-domain-kms-key-policy-example)
## Create a domain (console)
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. In the navigation pane, choose **Domains**, and then choose **Create domain**.
1. In **Name**, enter a name for your domain.
1. Expand **Additional configuration**.
1. Use an AWS KMS key (KMS key) to encrypt all assets in your domain. You can use an AWS managed KMS key or a KMS key that you manage. For more information about the supported types of KMS keys in CodeArtifact, see [Types of AWS KMS keys supported in CodeArtifact](domain-overview.md#domain-overview-supported-kms-keys).
+ Choose **AWS managed key** if you want to use the default AWS managed key.
+ Choose **Customer managed key** if you want to use a KMS key that you manage. To use a KMS key that you manage, in **Customer managed key ARN**, search for and choose the KMS key.
For more information, see [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) and [Customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
1. Choose **Create domain**.
## Create a domain (AWS CLI)
To create a domain with the AWS CLI, use the `create-domain` command. You must use an AWS KMS key (KMS key) to encrypt all assets in your domain. You can use an AWS managed KMS key or a KMS key that you manage. If you use an AWS managed KMS key, do not use the `--encryption-key` parameter.
For more information about the supported types of KMS keys in CodeArtifact, see [Types of AWS KMS keys supported in CodeArtifact](domain-overview.md#domain-overview-supported-kms-keys). For more information about KMS keys, see [AWS managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk) and [Customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
```
aws codeartifact create-domain --domain my_domain
```
JSON-formatted data appears in the output with details about your new domain.
```
{
"domain": {
"name": "my_domain",
"owner": "111122223333",
"arn": "arn:aws:codeartifact:us-west-2:111122223333:domain/my_domain",
"status": "Active",
"encryptionKey": "arn:aws:kms:us-west-2:111122223333:key/your-kms-key",
"repositoryCount": 0,
"assetSizeBytes": 0,
"createdTime": "2020-10-12T16:51:18.039000-04:00"
}
}
```
If you use a KMS key that you manage, include its Amazon Resource Name (ARN) with the `--encryption-key` parameter.
```
aws codeartifact create-domain --domain my_domain --encryption-key arn:aws:kms:us-west-2:111122223333:key/your-kms-key
```
JSON-formatted data appears in the output with details about your new domain.
```
{
"domain": {
"name": "my_domain",
"owner": "111122223333",
"arn": "arn:aws:codeartifact:us-west-2:111122223333:domain/my_domain",
"status": "Active",
"encryptionKey": "arn:aws:kms:us-west-2:111122223333:key/your-kms-key",
"repositoryCount": 0,
"assetSizeBytes": 0,
"createdTime": "2020-10-12T16:51:18.039000-04:00"
}
}
```
### Create a domain with tags
To create a domain with tags, add the `--tags` parameter to your `create-domain` command.
```
aws codeartifact create-domain --domain my_domain --tags key=k1,value=v1 key=k2,value=v2
```
## Example AWS KMS key policy
When you create a domain in CodeArtifact, you use a KMS key to encrypt all assets in the domain. You can choose an AWS managed KMS key, or a customer managed key that you manage. For more information about KMS keys, see the [AWS Key Management Service Developer Guide](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html).
To use a customer managed key, your KMS key must have a key policy that grants access to CodeArtifact. A key policy is a resource policy for an AWS KMS key and are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.
The following example key policy statement allows AWS CodeArtifact to create grants and view key details on behalf of authorized users. This policy statement limits the permission to CodeArtifact acting on the specified account ID’s behalf by using the `kms:ViaService` and `kms:CallerAccount` condition keys. It also grants all AWS KMS permissions to the IAM root user, so the key can be managed after it is created.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Allow access through AWS CodeArtifact for all principals in the account that are authorized to use CodeArtifact",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "111122223333",
"kms:ViaService": "codeartifact.us-west-2.amazonaws.com"
}
}
},
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
```
------
# Delete a domain
You can delete a domain using the CodeArtifact console or the AWS Command Line Interface (AWS CLI).
**Topics**
+ [Restrictions on domain deletion](#delete-domain-restrictions)
+ [Delete a domain (console)](#delete-domain-console)
+ [Delete a domain (AWS CLI)](#delete-domain-cli)
## Restrictions on domain deletion
Normally, you can't delete a domain that contains repositories. Before you delete the domain, you must first delete its repositories. For more information, see [Delete a repository](delete-repo.md).
However, if CodeArtifact no longer has access to the domain's KMS key, you can delete the domain even if it still contains repositories. This situation will occur if you delete the domain's KMS key or revoke the [KMS grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) that CodeArtifact uses to access the key. In this state, you cannot access the repositories in the domain or the packages stored in them. Listing and deleting of repositories is also not possible when CodeArtifact cannot access the domain's KMS key. For this reason, domain deletion doesn't check whether the domain contains repositories when the domain's KMS key is inaccessible.
**Note**
When a domain that still contains repositories is deleted, CodeArtifact will asynchronously delete the repositories within 15 minutes. After the domain is deleted, the repositories will still be visible in the CodeArtifact console and in the output of the `list-repositories` command until the automatic repository cleanup occurs.
## Delete a domain (console)
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. In the navigation pane, choose **Domains**, then choose the domain that you want to delete.
1. Choose **Delete**.
## Delete a domain (AWS CLI)
Use the **delete-domain** command to delete a domain.
```
aws codeartifact delete-domain --domain my_domain --domain-owner 111122223333
```
JSON-formatted data appears in the output with details about the deleted domain.
```
{
"domain": {
"name": "my_domain",
"owner": "111122223333",
"arn": "arn:aws:codeartifact:us-west-2:111122223333:domain/my_domain",
"status": "Active",
"encryptionKey": "arn:aws:kms:us-west-2:111122223333:key/your-kms-key",
"repositoryCount": 0,
"assetSizeBytes": 0,
"createdTime": "2020-10-12T16:51:18.039000-04:00"
}
}
```
# Domain policies
CodeArtifact supports using resource-based permissions to control access. Resource-based permissions let you specify who has access to a resource and which actions they can perform on it. By default, only the AWS account that owns the domain can create and access repositories in the domain. You can apply a policy document to a domain to allow other IAM principals to access it.
For more information, see [Policies and Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [Identity-Based Policies and Resource-Based Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html).
**Topics**
+ [Enable cross-account access to a domain](#enabling-cross-acount-access-to-a-domain)
+ [Domain policy example](#domain-policy-example)
+ [Domain policy example with AWS Organizations](#domain-policy-example-with-aws-organizations)
+ [Set a domain policy](#set-domain-policy)
+ [Read a domain policy](#reading-a-domain-policy)
+ [Delete a domain policy](#deleting-a-domain-policy)
## Enable cross-account access to a domain
A resource policy is a text file in JSON format. The file must specify a principal (actor), one or more actions, and an effect (`Allow` or `Deny`). To create a repository in a domain owned by another account, the principal must be granted the `CreateRepository` permission on the *domain* resource.
For example, the following resource policy grants the account `123456789012` permission to create a repository in the domain.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"codeartifact:CreateRepository"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Resource": "*"
}
]
}
```
------
To allow creating repositories with tags, you must include the `codeartifact:TagResource` permission. This will also give the account access to add tags to the domain and all repositories in it.
The domain policy is evaluated for all operations against the domain and all resources within the domain. This means the domain policy may be used to apply permissions to repositories and packages in the domain. When the `Resource` element is set to `*`, then the statement applies to all resources in the domain. For example, if the policy above also included `codeartifact:DescribeRepository` in the list of allowed IAM actions, then the policy would allow calling `DescribeRepository` on every repository in the domain. A domain policy may be used to apply permissions to specific resources in the domain by using specific resource ARNs in the `Resource` element.
**Note**
Both domain and repository policies may be used to configure permissions. When both policies are present, then both policies will be evaluated and an action is allowed if allowed by either policy. For more information, see [Interaction between repository and domain policies](repo-policies.md#interaction-repo-domain-policies).
To access packages in a domain owned by another account, a principal must be granted the `GetAuthorizationToken` permission on the *domain resource*. This allows the domain owner to exercise control over which accounts can read the contents of repositories in the domain.
For example, the following resource policy grants the account `123456789012` permission to retrieve an auth token for any repository in the domain.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"codeartifact:GetAuthorizationToken"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Resource": "*"
}
]
}
```
------
**Note**
A principal who wants to fetch packages from a repository endpoint must be granted the `ReadFromRepository` permission on the repository resource in addition to the `GetAuthorizationToken` permission on the domain. Similarly, a principal who wants to publish packages to a repository endpoint must be granted the `PublishPackageVersion` permission in addition to `GetAuthorizationToken`.
For more information about the `ReadFromRepository` and `PublishPackageVersion` permissions, see [Repository Policies](repo-policies.md).
## Domain policy example
When multiple accounts are using a domain, the accounts should be granted a basic set of permissions to allow full use of the domain. The following resource policy lists a set of permissions that allow full use of the domain.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BasicDomainPolicy",
"Action": [
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
"codeartifact:GetAuthorizationToken",
"codeartifact:DescribeDomain",
"codeartifact:CreateRepository"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
}
```
------
**Note**
You don't need to create a domain policy if a domain and all its repositories are owned by a single account and only need to be used from that account.
## Domain policy example with AWS Organizations
You can use the `aws:PrincipalOrgID` condition key to grant access to an CodeArtifact domain from all accounts in your organization, as follows.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "DomainPolicyForOrganization",
"Effect": "Allow",
"Principal": "*",
"Action": [
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
"codeartifact:GetAuthorizationToken",
"codeartifact:DescribeDomain",
"codeartifact:CreateRepository"
],
"Resource": "*",
"Condition": {
"StringEquals": { "aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}
```
------
For more information about using the `aws:PrincipalOrgID` condition key, see [AWS Global Condition Context Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html) in the *IAM User Guide*.
## Set a domain policy
You can use the `put-domain-permissions-policy` command to attach a policy to a domain.
```
aws codeartifact put-domain-permissions-policy --domain my_domain --domain-owner 111122223333 \
--policy-document file://
```
When you call `put-domains-permissions-policy`, the resource policy on the domain is ignored when evaluting permissions. This ensures that the owner of a domain cannot lock themselves out of the domain, which would prevent them from being able to update the resource policy.
**Note**
You cannot grant permissions to another AWS account to update the resource policy on a domain using a resource policy, since the resource policy is ignored when calling put-domain-permissions-policy.
Sample output:
```
{
"policy": {
"resourceArn": "arn:aws:codeartifact:region-id:111122223333:domain/my_domain",
"document": "{ ...policy document content...}",
"revision": "MQlyyTQRASRU3HB58gBtSDHXG7Q3hvxxxxxxx="
}
}
```
The output of the command contains the Amazon Resource Name (ARN) of the domain resource, the full contents of the policy document, and a revision identifier. The revision identifier can be passed to `put-domain-permissions-policy` using the `--policy-revision` option. This ensures that a known revision of the document is being overwritten, and not a newer version set by another writer.
## Read a domain policy
To read an existing version of a policy document, use the `get-domain-permissions-policy` command. To format the output for readability, use the `--output` and `--query policy.document` together with the Python `json.tool` module, as follows.
```
aws codeartifact get-domain-permissions-policy --domain my_domain --domain-owner 111122223333 \
--output text --query policy.document | python -m json.tool
```
Sample output:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "BasicDomainPolicy",
"Action": [
"codeartifact:GetDomainPermissionsPolicy",
"codeartifact:ListRepositoriesInDomain",
"codeartifact:GetAuthorizationToken",
"codeartifact:CreateRepository"
],
"Effect": "Allow",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
}
}
]
}
```
------
## Delete a domain policy
Use the `delete-domain-permissions-policy` command to delete a policy from a domain.
```
aws codeartifact delete-domain-permissions-policy --domain my_domain --domain-owner 111122223333
```
The format of the output is the same as that of the `get-domain-permissions-policy` and `delete-domain-permissions-policy` commands.
# Tag a domain in CodeArtifact
Tags are key-value pairs associated with AWS resources. You can apply tags to your domains in CodeArtifact. For information about CodeArtifact resource tagging, use cases, tag key and value constraints, and supported resource types, see [Tagging resources](tag-resources.md).
You can use the CLI to specify tags when you create a domain. You can use the console or CLI to add or remove tags, and update the values of tags in a domain. You can add up to 50 tags to each domain.
**Topics**
+ [Tag domains (CLI)](#tag-domains-tag-cli)
+ [Tag domains (console)](#tag-domains-console)
## Tag domains (CLI)
You can use the CLI to manage domain tags.
**Topics**
+ [Add tags to a domain (CLI)](#add-domains-tag-cli)
+ [View tags for a domain (CLI)](#list-domains-tag-cli)
+ [Edit tags for a domain (CLI)](#update-domains-tag-cli)
+ [Remove tags from a domain (CLI)](#delete-domains-tag-cli)
### Add tags to a domain (CLI)
You can use the console or the AWS CLI to tag domains.
To add a tag to a domain when you create it, see [Create a repository](create-repo.md).
In these steps, we assume that you have already installed a recent version of the AWS CLI or updated to the current version. For more information, see [Installing the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/installing.html).
At the terminal or command line, run the **tag-resource** command, specifying the Amazon Resource Name (ARN) of the domain where you want to add tags and the key and value of the tag you want to add.
**Note**
To get the ARN of the domain, run the `describe-domain` command:
```
aws codeartifact describe-domain --domain my_domain --query domain.arn
```
You can add more than one tag to a domain. For example, to tag a domain named *my\$1domain* with two tags, a tag key named *key1* with the tag value of *value1*, and a tag key named *key2* with the tag value of *value2*:
```
aws codeartifact tag-resource --resource-arn arn:aws:codeartifact:us-west-2:123456789012:domain/my_domain --tags key=key1,value=value1 key=key2,value=value2
```
If successful, this command has no output.
### View tags for a domain (CLI)
Follow these steps to use the AWS CLI to view the AWS tags for a domain. If no tags have been added, the returned list is empty.
At the terminal or command line, run the **list-tags-for-resource** command with the Amazon Resource Name (ARN) of the domain.
**Note**
To get the ARN of the domain, run the `describe-domain` command:
```
aws codeartifact describe-domain --domain my_domain --query domain.arn
```
For example, to view a list of tag keys and tag values for a domain named *my\$1domain* with the `arn:aws:codeartifact:us-west-2:123456789012:domain/my_domain` ARN value:
```
aws codeartifact list-tags-for-resource --resource-arn arn:aws:codeartifact:us-west-2:123456789012:domain/my_domain
```
If successful, this command returns information similar to the following:
```
{
"tags": {
"key1": "value1",
"key2": "value2"
}
}
```
### Edit tags for a domain (CLI)
Follow these steps to use the AWS CLI to edit a tag for a domain. You can change the value for an existing key or add another key. You can also remove tags from a domain, as shown in the next section.
At the terminal or command line, run the **tag-resource** command, specifying the ARN of the domain where you want to update a tag and specify the tag key and tag value:
**Note**
To get the ARN of the domain, run the `describe-domain` command:
```
aws codeartifact describe-domain --domain my_domain --query domain.arn
```
```
aws codeartifact tag-resource --resource-arn arn:aws:codeartifact:us-west-2:123456789012:domain/my_domain --tags key=key1,value=newvalue1
```
If successful, this command has no output.
### Remove tags from a domain (CLI)
Follow these steps to use the AWS CLI to remove a tag from a domain.
**Note**
If you delete a domain, all tag associations are removed from the deleted domain. You do not have to remove tags before you delete a domain.
At the terminal or command line, run the **untag-resource** command, specifying the ARN of the domain where you want to remove tags and the tag key of the tag you want to remove.
**Note**
To get the ARN of the domain, run the `describe-domain` command:
```
aws codeartifact describe-domain --domain my_domain --query domain.arn
```
For example, to remove multiple tags on a domain named *mydomain* with the tag keys *key1* and *key2*:
```
aws codeartifact untag-resource --resource-arn arn:aws:codeartifact:us-west-2:123456789012:domain/my_domain --tag-keys key1 key2
```
If successful, this command has no output. After removing tags, you can view the remaining tags on the domain using the `list-tags-for-resource` command.
## Tag domains (console)
You can use the console or the CLI to tag resources.
**Topics**
+ [Add tags to a domain (console)](#add-tag-domains-console)
+ [View tags for a domain (console)](#list-tag-domains-console)
+ [Edit tags for a domain (console)](#update-tag-domains-console)
+ [Remove tags from a domain (console)](#delete-tag-domains-console)
### Add tags to a domain (console)
You can use the console to add tags to an existing domain.
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. On the **Domains** page, choose the domain that you want to add tags to.
1. Expand the **Details** section.
1. Under **Domain tags**, choose **Add domain tags** if there are no tags on the domain, or choose **View and edit domain tags** if there are.
1. Choose **Add new tag**.
1. In the **Key** and **Value** fields, enter the text for each tag you want to add. (The **Value** field is optional.) For example, in **Key**, enter **Name**. In **Value**, enter **Test**.
![\[The domain configuration.\]](http://docs.aws.amazon.com/codeartifact/latest/ug/images/domain-add-tag-console.png)
1. (Optional) Choose **Add tag** to add more rows and enter more tags.
1. Choose **Update domain**.
### View tags for a domain (console)
You can use the console to list tags for existing domains.
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. On the **Domains** page, choose the domain where you want to view tags.
1. Expand the **Details** section.
1. Under **Domain tags**, choose **View and edit domain tags**.
**Note**
If there are no tags added to this domain, the console will read **Add domain tags**.
### Edit tags for a domain (console)
You can use the console to edit tags that have been added to domain.
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. On the **Domains** page, choose the domain where you want to update tags.
1. Expand the **Details** section.
1. Under **Domain tags**, choose **View and edit domain tags**.
**Note**
If there are no tags added to this domain, the console will read **Add domain tags**.
1. In the **Key** and **Value** fields, update the values in each field as needed. For example, for the **Name** key, in **Value**, change **Test** to **Prod**.
1. Choose **Update domain**.
### Remove tags from a domain (console)
You can use the console to delete tags from domains.
1. Open the AWS CodeArtifact console at [https://console.aws.amazon.com/codesuite/codeartifact/home](https://console.aws.amazon.com/codesuite/codeartifact/home).
1. On the **Domains** page, choose the domain where you want to remove tags.
1. Expand the **Details** section.
1. Under **Domain tags**, choose **View and edit domain tags**.
**Note**
If there are no tags added to this domain, the console will read **Add domain tags**.
1. Next to the key and value for each tag you want to delete, choose **Remove**.
1. Choose **Update domain**.