AWS::IAM::ManagedPolicy - Support for tags

[scottcheney]

Scope of request: AWS::IAM::ManagedPolicy does not support Tags property so cannot be tagged in CloudFormation templates. Tags are supported for IAM managed policies in the API and Console, so support for Tags on IAM policies is inconsistent.

Expected behavior: Tags property is supported by CloudFormation for the AWS::IAM::ManagedPolicy resource type, allowing AWS::IAM::ManagedPolicy resource types to be tagged in CloudFormation templates.

Links to existing API doc:

• (tags supported here) https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
• (no tag support here) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html

Category tag: Security

[kddejong]

I may be missing something here but isn't this for AWS::IAM::ManagedPolicy not AWS::IAM::Policy?

[scottcheney]

Yes, thank you for the call out. Updated.

[cig0]

Hi,

A good tagging practice is core to the way we manage our infrastructure, so I will need to come up with a way to properly tag our customer managed policies as they are created until this issue is resolved. However, I'd like to invest my time in more pressing matters than reinventing the wheel.

What are the plans to address this issue? I don't see it in the roadmap...

[pio2pio]

I may be missing something here but isn't this for AWS::IAM::ManagedPolicy not AWS::IAM::Policy?

I think it was correct AWS::IAM::ManagedPolicy is a independent entity that you can tag in AWS Console but not using CF templates. From the documentation:

AWS::IAM::Policy Adds or updates an inline policy document that is embedded in the specified IAM user, group, or role.

so it's not possible to tag such resource as is embedded.

[Vadim-Zenin]

Hi, The request is 11 month old. Any updates please?

[linuxhpceng]

The request is 11 month old. Any updates please?

No doubt. When will Amazon start acting like they are serving enterprise class clients? It's a little crazy that this is still floating around out there. Can we at least get a technical explanation as to why nothing has been done to correct this?

Thanks,

[fmonthel]

Will be very nice to have this support over CF. To achieve this call we had to do custom script using boto3 :(

[warhamernl]

I miss this feature as well and would love to see that property. that or that the cloud formation tags will propagate to the resource. but It is sad to write a script to do these things for you :(

[cig0]

The request is 11 month old. Any updates please?

No doubt. When will Amazon start acting like they are serving enterprise class clients? It's a little crazy that this is still floating around out there. Can we at least get a technical explanation as to why nothing has been done to correct this?

Thanks,

At this point, I believe that CF is stalled with its development being halted in favor of CDK. We already switched to Terraform here and we all couldn't be happier with the change.

[sbrown-tecracer]

Another use case:

CFM StackSet deployments when deploying IAM Policies / Groups are producing Drift false positives!

As CFM still does not support Tagging for these both, if you apply a Tag at the StackSet level, this will fail deployment and produce a stackset drift because of it. A possible Drift check to see if the CFM resource supports Tagging would help but as the route cause is the lack of Tagging support in CFM, I would like to also see it added :-)

[chrystalis]

Another use case:

CFM StackSet deployments when deploying IAM Policies / Groups are producing Drift false positives!

As CFM still does not support Tagging for these both, if you apply a Tag at the StackSet level, this will fail deployment and produce a stackset drift because of it. A possible Drift check to see if the CFM resource supports Tagging would help but as the route cause is the lack of Tagging support in CFM, I would like to also see it added :-)

We are seeing this issue with Drift on stack instances as well. After reaching out to AWS Support, we were informed that the only way to actually stop CloudFormation from showing this tag-related Drift on stacks containing IAM managed policies is to remove the tags from the StackSet itself. CloudFormation is unable to even detect that the tags are ACTUALLY applied (through another method, since CFN could not do so), so just having the tags on the StackSet means that the stacks will show as DRIFTED - regardless of whether the tags are present on the resources or not.

[maiconbaum]

😴

[luisccisneros]

Is there any updates on the above, we are trying to tag managed policies created by CDK, but there is no option to create tags. However, it is possible through the AWS console. It would be nice for CDK to support tagging on managed policies.

[AE86Trueno]

Reached to this page when trying searching way to tag ManagedPolicy via Cloudformation. Will this be added to CFn stack?

@luisccisneros - CDK will still deployed as Cloudformation stack, I believe until they added this into CFn stack, CDK will not be able to do it as well, unless probably adding some kind unnecessary workaround.

[luismfboliveira]

Any updates on this? I see it has been moved to coming soon, but it has been a while.

Tags are essential to properly manage infrastructure and costs. Other resources like AWS::Events::Rule suffer from the same problem, unable to add tags.

It is heartbreaking having a stack half-tagged, if you don't want to bloat your IaC and CICD pipelines with workarounds while working with CFN.

Thank you in advance!

[dailytabs]

Been in CF for less than one day, and I already recognized this as an issue. How is this still a thing!

[Veetaha]

PCI DSS compliance requires tagging IAM managed policies. We can't do that with CFN. Forget compliance, the people who designed it are disconnected from the reality of CFN👍