New – AWS Resource Tagging API
September 8, 2021: Amazon Elasticsearch Service has been renamed to Amazon OpenSearch Service. See details.
AWS customers frequently use tags to organize their Amazon EC2 instances, Amazon EBS volumes, Amazon S3 buckets, and other resources. Over the past couple of years we have been working to make tagging more useful and more powerful. For example, we have added support for tagging during Auto Scaling, the ability to use up to 50 tags per resource, console-based support for the creation of resources that share a common tag (also known as resource groups), and the option to use Config Rules to enforce the use of tags.
As customers grow to the point where they are managing thousands of resources, each with up to 50 tags, they have been looking to us for additional tooling and options to simplify their work. Today I am happy to announce that our new Resource Tagging API is now available. You can use these APIs from the AWS SDKs or via the AWS Command Line Interface (AWS CLI). You now have programmatic access to the same resource group operations that had been accessible only from the AWS Management Console.
Recap: Console-Based Resource Group Operations
Before I get in to the specifics of the new API functions, I thought you would appreciate a fresh look at the console-based grouping and tagging model. I already have the ability to find and then tag AWS resources using a search that spans one or more regions. For example, I can select a long list of regions and then search them for my EC2 instances like this:
After I locate and select all of the desired resources, I can add a new tag key by clicking Create a new tag key and entering the desired tag key:
Then I enter a value for each instance (the new ProjectCode column):
Then I can create a resource group that contains all of the resources that are tagged with P100:
After I have created the resource group, I can locate all of the resources by clicking on the Resource Groups menu:
To learn more about this feature, read Resource Groups and Tagging for AWS.
New API for Resource Tagging
The Resource Tagging API that we are announcing today gives you power to tag, untag, and locate resources using tags, all from your own code. With these new API functions, you are now able to operate on multiple resource types with a single set of functions.
Here are the new functions:
TagResources – Add tags to up to 20 resources at a time.
UntagResources – Remove tags from up to 20 resources at a time.
GetResources – Get a list of resources, with optional filtering by tags and/or resource types.
GetTagKeys – Get a list of all of the unique tag keys used in your account.
GetTagValues – Get all tag values for a specified tag key.
These functions support the following AWS services and resource types:
|AWS Service||Resource Types|
|Amazon EC2||AMI, Customer Gateway, DHCP Option, EBS Volume, Instance, Internet Gateway, Network ACL, Network Interface, Reserved Instance, Reserved Instance Listing, Route Table, Security Group – EC2 Classic, Security Group – VPC, Snapshot, Spot Batch, Spot Instance Request, Spot Instance, Subnet, Virtual Private Gateway, VPC, VPN Connection.|
|Amazon ElastiCache||Cluster, Snapshot.|
|Amazon Elastic File System||Filesystem.|
|Amazon Elasticsearch Service||Domain.|
|Amazon Machine Learning||Batch Prediction, Data Source, Evaluation, ML Model.|
|Amazon Relational Database Service||DB Instance, DB Option Group, DB Parameter Group, DB Security Group, DB Snapshot, DB Subnet Group, Event Subscription, Read Replica, Reserved DB Instance.|
|Amazon Route 53||Domain, Health Check, Hosted Zone.|
|AWS Certificate Manager||Certificate.|
|AWS Directory Service||Directory.|
|AWS Storage Gateway||Gateway, Virtual Tape, Volume.|
|Elastic Load Balancing||Load Balancer, Target Group.|
Things to Know
Here are a couple of things to keep in mind when you build code or write scripts that use the new API functions or the CLI equivalents:
Compatibility – The older, service-specific functions remain available and you can continue to use them.
Write Permission – The new tagging API adds another layer of permission on top of existing policies that are specific to a single AWS service. For example, you will need to have access to
EC2:createTags in order to add a tag to an EC2 instance.
Read Permission – You will need to have access to
tag:GetTagValues in order to call functions that access tags and tag values.
Pricing – There is no charge for the use of these functions or for tags.
The new functions are supported by the latest versions of the AWS SDKs. You can use them to tag and access resources in all commercial AWS regions.