using Tags to IAM Role created by Permissionset ?


We are using Terraform to provision the IAM Identity Center permissionset , and tagged the permissionset to a value we would like to use for creating the Access to Cross account Glue Data access. however the Tags do not end up in the IAM roles in the targetAccount that are created by the IAM permissionset . looks like this is by design? or are we missing anything here?. we would like to simplify by using the principalTags so that we don't have to use the weird roles names generated by the IAM identityCenter.

1 Answer

Hi there!

The behaviour you have pointed out is an expected one. As you have applied tags to the permission set to get propagated to the target IAM role created by AWS SSO permission sets and then use this target role created by AWS SSO permission sets as the principal, but as of now it is not possible to apply tags on the IAM roles created by AWS SSO service.

As it is mentioned in the documentation[1], when applying a permission set in SSO, AWS SSO creates corresponding AWS SSO-controlled IAM roles in each account, and attaches the policies specified in the permission set to those roles. But as specified in the document[2] “currently, tags can only be applied to permission sets and cannot be applied to corresponding roles that AWS SSO creates in AWS accounts".

This indicates that the tags specified in the permission set are not inherited down to the IAM roles automatically generated by SSO, only the policy in the permission set is applied. Also, as you modify the permission set, AWS SSO ensures that the corresponding IAM policies and roles are updated accordingly, but not the tags associated with SSO permission sets.

That being said, I totally understand your concern and agree with you that having such a functionality would be really useful. Thus, I found a popular feature request in place with the AWS SSO Development team to inherit tags to the IAM roles from SSO permission sets. Hence, I would like to request you to kindly monitor our product announcement page [3] and AWS News Blog [4] periodically for updates regarding announcements for AWS services.


[1] Permission sets -

[2] Tagging AWS Single Sign-On resources- [3] What's New -
[4] AWS News Blog -

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions