Closed jonlao-khoros closed 1 year ago
RyanFitzSimmonsAK
commented
1 year ago Hi @jonlao-khoros, I was able to reproduce this behavior. You mentioned that this also happens with the Java SDK; that means that this is a service API issue. I'm going to move this issue to our cross-SDK repository, and reach out to the service team about it. Thanks for raising this issue. I'll reply here with any updates in the future.
RyanFitzSimmonsAK
commented
1 year ago Ticket # for internal reference : P96705759
RyanFitzSimmonsAK
commented
1 year ago Hi @jonlao-khoros, thanks for your patience. The service team got back to me and explained that this is intended, due to the way that tags in IAM behave.
https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html
From that documentation,
AWS Identity and Access Management (IAM) – at this time, you can tag only the following IAM resources using the Resource Groups Tagging API:
instance-profile mfa oidc-provider policy role saml-provider server-certificate user
This line of the documentation means that only those resources can be tagged, and that those resources can only be tagged (cannot be gotten by GetResource). Hope that helps, and please let me know if you have any follow-up questions.
jonlao-khoros
commented
1 year ago Thanks for the follow up!
Would be appreciated if the documentation can be a little more clear on GetResource not being supported.
RyanFitzSimmonsAK
commented
1 year ago I'll forward that feedback to the Resource Group Tagging API documentation writers, and let you know in this issue if that clarification is made to the docs.
RyanFitzSimmonsAK
commented
1 year ago "IAM users and roles can only be used in TagResource and UntagResources operations." was added to the note at the top of this page.
github-actions[bot]
commented
1 year ago This issue is now closed.
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
thpham
Describe the bug
Get-Resource operation from Resource Group Tagging API returns empty result when the provided resource is in Global region. However, applying tags works for the same resource.
The following will return empty result even if the provided provided has tags associated.
aws resourcegroupstaggingapi get-resources --resource-arn-list {ARN}Where {ARN} is any global resource, such as IAM User or IAM Role. E.g.
arn:aws:iam::1234567890:user/some_user,arn:aws:iam::1234567890:role/some-roleFor the same ARN (resource), applying tags works:
aws resourcegroupstaggingapi tag-resources --resource-arn-list {ARN}Where {ARN} is the same as above (IAM Role, IAM User).
Note: This behavior also exhibits in AWS SDK (Java).
Expected Behavior
Tags of the provided resource (by ARN) should be returned.
e.g.
Current Behavior
Empty tag lists for a resource that does have tags is returned:
Reproduction Steps
Execute the following command with an ARN that is under Global region:
Possible Solution
Fix backend of tagging.{region}.amazonaws.com so that for ARN of global resources, it will route to the correct logic similar to
aws resourcegroupstaggingapi tag-resourcescommandAdditional Information/Context
No response
CLI version used
aws-cli/2.13.8 Python/3.11.4 Darwin/22.6.0 exe/x86_64 prompt/off
Environment details (OS name and version, etc.)
MacOS 13.5