# Using tags with S3 general purpose buckets Tagging buckets An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 general purpose buckets. You can tag S3 buckets when you create them or manage tags on existing buckets. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](tagging.md). **Note** There is no additional charge for using tags on buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/). ## Common ways to use tags with buckets Use tags on your S3 buckets for: 1. **Cost allocation** – Track storage costs by bucket tag in AWS Billing and Cost Management. For more information, see [Using tags for cost allocation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-cost-allocation). 1. **Attribute-based access control (ABAC)** – Scale access permissions and grant access to S3 buckets based on their tags. For more information, see [Using tags for ABAC](https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging.html#using-tags-for-abac). **Note** For general purpose buckets, ABAC is not enabled by default. To enable ABAC for general purpose buckets, see [Enabling ABAC in general purpose buckets](buckets-tagging-enable-abac.md). For Amazon S3 resources such as access points and directory buckets, ABAC is enabled by default. You can use the same tags for both cost allocation and access control. ### ABAC for S3 general purpose buckets Amazon S3 general purpose buckets support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and S3 bucket policies. For enterprises, ABAC in Amazon S3 supports authorization across multiple AWS accounts. In your IAM policies, you can control access to S3 buckets based on the bucket's tags by using the following [global condition keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys): + `aws:ResourceTag/key-name` + Use this condition key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. S3 evaluates this condition key only after you enable ABAC on your bucket. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `Dept` with the value `Marketing`. For more information, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources). + `aws:RequestTag/key-name` + Use this condition key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `Dept` and that it has the value `Accounting`. For more information, see [Controlling access during AWS requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests). You can use this condition key to restrict which tag key-value pairs can be passed during the `TagResource` and `CreateBucket` API operations. + `aws:TagKeys` + Use this condition key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys). + `s3:BucketTag/tag-key` + Use this condition key to grant permissions to specific data in buckets using tags. This condition key is applicable only after ABAC is enabled on your bucket. When accessing a bucket by using an access point, the `aws:ResourceTag/tag-key` condition key references the tags on the bucket both when authorizing against the access point and the bucket. The `s3:BucketTag/tag-key` will reference the tags only of the bucket it is being authorized against. **Note** When creating buckets with tags, note that tag-based conditions to access your bucket using aws:ResourceTag and s3:BucketTag condition keys are applicable only after you enable ABAC on the bucket. To learn more, see [Enabling ABAC in general purpose buckets](buckets-tagging-enable-abac.md). ### Example ABAC policies for buckets See the following example ABAC policies for Amazon S3 buckets. #### 1.1 - IAM policy to create or modify buckets with specific tags In this IAM policy, users or roles with this policy can only create S3 buckets if they tag the bucket with the tag key `project` and tag value `Trinity `in the bucket creation request. They can also add or modify tags on existing S3 buckets as long as the `TagResource` request includes the tag key-value pair `project:Trinity`. This policy does not grant read, write, or delete permissions on the buckets or its objects. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CreateBucketWithTags", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:TagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/project": [ "Trinity" ] } } } ] } ``` #### 1.2 - Bucket policy to restrict operations In this bucket policy, IAM principals (users and roles) are denied `s3:ListBucket`, `s3:GetObject`, and `s3:PutObject` actions on the bucket only if value of the `project `tag on the bucket matches the value of the `project` tag on the principal. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "DenyObjectOperations", "Effect": "Deny", "Principal": "*", "Action": ["s3:ListBucket", "s3:GetObject", "s3:PutObject"], "Resource": "arn:aws:s3:::aws-s3-demo/*", "Condition": { "StringEquals": { "aws:ResourceTag/project": "${aws:PrincipalTag/project}" } } } ] } ``` #### 1.3 - IAM policy to modify tags on existing resources In this IAM policy, IAM principals (users or roles) can modify tags on a bucket only if the value of the bucket's `project` tag matches the value of the principal's `project` tag. Only the four tags `project`, `environment`, `owner`, and `cost-center` specified in the `aws:TagKeys` condition keys are permitted for these buckets. This helps enforce tag governance, prevents unauthorized tag modifications, and keeps the tagging schema consistent across your buckets. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "EnforceTaggingRulesOnModification", "Effect": "Allow", "Action": [ "s3:TagResource", "s3:CreateBucket" ], "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "project", "environment", "owner", "cost-center" ] } } } ] } ``` #### 1.4 - Using the s3:BucketTag condition key In this IAM policy, the condition statement allows access to the `aws-s3-demo` bucket's data only if the bucket has the tag key `Environment` and tag value `Production`. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessViaSpecificBucket", "Effect": "Allow", "Action": "*", "Resource": ["arn:aws:s3:::aws-s3-demo","arn:aws:s3:::aws-s3-demo/*"], "Condition": { "StringEquals": { "s3:BucketTag/Environment": "Production" } } } ] } ``` ## Managing tags for general purpose buckets You can add or manage tags for S3 buckets using the Amazon S3 Console, the AWS Command Line Interface (CLI), the AWS SDKs, or using the S3 APIs: [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html), [UntagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html), and [ListTagsForResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html). For more information, see: **Topics** # Enabling ABAC in general purpose buckets Enable bucket ABAC Attribute-based access control (ABAC) is an authorization strategy that you use to define permissions based on attributes, i.e., tags. By default, ABAC is disabled for all Amazon S3 general purpose buckets. To use ABAC for general purpose buckets, you must enable it. Before enabling ABAC for your general purpose bucket, we recommend that you first complete the tasks described in the following topics: **Topics** + [ ## Auditing your policies before enabling ABAC ](#buckets-tagging-enable-abac-audit) ## Auditing your policies before enabling ABAC Before you enable ABAC for your bucket, if your bucket has tags, audit your access control policies to review if tag-based conditions reference any of the existing tags on your buckets. If they do, confirm that these policies are set up as intended and that enabling tag-based access control does not create unintentional authorization changes to your Amazon S3 workflows. Doing so will help you ensure that your policies function as intended after ABAC is enabled on your buckets. For examples of using attribute-based conditions with tags, see [Using tags with S3 general purpose buckets](buckets-tagging.md). ### Including the required permissions in your IAM policies You need the following Amazon S3 permissions to enable ABAC for your bucket: + `s3:PutBucketAbac` – Update the ABAC status for your general purpose bucket. + `s3:GetBucketAbac` – View the ABAC status for your general purpose bucket After you enable ABAC, the permissions you previously used to add tags to a bucket or delete tags from a bucket, `PutBucketTagging` or `DeleteBucketTagging`, will no longer work. Instead, use the `TagResource` and *UntagResource* APIs to perform these tasks. We recommend you use `TagResource` and `UntagResource` APIs to manage tagging before enabling ABAC on your buckets. The Amazon S3 Console and CloudFormation now use the `TagResource` and `UntagResource` APIs by default. You can also disable ABAC on your bucket by using the `PutBucketAbac` API. You can use `GetBucketTagging` to list tags on your buckets. This API will continue to work after you enable ABAC for your buckets. Alternatively you can also use `ListTagsForResource` to list all tags on your buckets. You will need the following permissions to apply tags to and remove them from general purpose buckets. + `s3:TagResource` - Add tags to an AWS resource, such as an Amazon S3 general purpose bucket. + `s3:UntagResource` - Remove tags from an AWS resource, such as an Amazon S3 general purpose bucket. + `s3:ListTagsForResource` - View the tags applied to an AWS resource, such as an Amazon S3 general purpose bucket. The following IAM policy grants the permission to enable ABAC and view its status for your bucket. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutBucketAbac", "s3:GetBucketAbac" ], "Resource": "arn:aws:s3:::my-s3-bucket/*" } ] } ``` For more information on tagging general purpose buckets and example ABAC policies for general purpose buckets, see [Using tags with S3 general purpose buckets](buckets-tagging.md). ### Steps If you have `s3:PutBucketAbac` permission for a general purpose bucket, you can enable ABAC for the bucket by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs. ### Using the S3 console To enable ABAC for a general purpose bucket using the Amazon S3 console: 1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **buckets**. 1. Choose the bucket name. 1. Choose the **Properties** tab. 1. In the **Bucket ABAC** panel, and choose **Edit**. 1. Choose the **Enable** toggle. 1. Review and acknowledge the permissions you will need to manage tags after you enable ABAC: `TagResource`, `UntagResource`, and `ListTagsForResource`. 1. Choose **Save changes**. ### Using the AWS SDKs ------ #### [ SDK for Java 2.x ] This example shows you how to add enable ABAC for a general purpose bucket by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information. ``` import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.AbacStatus; import software.amazon.awssdk.services.s3.model.GetBucketAbacRequest; import software.amazon.awssdk.services.s3.model.GetBucketAbacResponse; import software.amazon.awssdk.services.s3.model.PutBucketAbacRequest; import software.amazon.awssdk.services.s3.model.PutBucketAbacResponse; import software.amazon.awssdk.regions.Region; public class BucketAbac { public static void main(String[] args) { Region region = Region.US_EAST_1; S3Client s3 = S3Client.builder() .region(region) .build(); putBucketAbac(s3, "amzn-s3-demo-bucket", "Enabled"); getBucketAbac(s3, "amzn-s3-demo-bucket"); putBucketAbac(s3, "amzn-s3-demo-bucket", "Disabled"); getBucketAbac(s3, "amzn-s3-demo-bucket"); } /** * Sets the ABAC (Attribute-Based Access Control) status for a specified S3 bucket. * * @param s3 The S3Client instance to use for the API call * @param bucketName The name of the S3 bucket to update * @param status The desired ABAC status ("Enabled" or "Disabled") */ public static void putBucketAbac(S3Client s3, String bucketName, String status) { try { AbacStatus abacStatus = AbacStatus.builder() .abacStatus(status) .build(); PutBucketAbacReqquest request = PutBucketAbacRequest.builder() .bucket(bucketName) .abacStatus(abacStatus) .build(); s3.putBucketAbac(request); } catch (S3Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } /** * Retrieves the current ABAC (Attribute-Based Access Control) status for a specified S3 bucket. * * @param s3 The S3Client instance to use for the API call * @param bucketName The name of the S3 bucket to query */ public static void getBucketAbac(S3Client s3, String bucketName) { try { GetBucketAbacReqquest request = GetBucketAbacRequest.builder() .bucket(bucketName) .build(); GetBucketAbacResponse response = s3.getBucketAbac(request); } catch (S3Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } } } ``` This example shows you how to add enable ABAC for a general purpose bucket by using the AWS SDK for Java 2.x. To use the command replace the `user input placeholders` with your own information. ------ ### Using the REST API For information about the Amazon S3 REST API support for adding tags to a general purpose bucket, see the following section in the *Amazon Simple Storage Service API Reference*: + [PutBucketAbac](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_PutBucketABAC.html) ### Using the AWS CLI To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*. The following CLI example shows you how to enable ABAC for a general purpose bucket by using the AWS CLI. To use the command replace the *user input placeholders* with your own information. **Request:** ``` # Enable ABAC on a general purpose bucket aws s3api put-bucket-abac --bucket amzn-s3-demo-bucket --abac-status Status=Enabled --region us-east-2 # Disable ABAC on a general purpose bucket aws s3api put-bucket-abac --bucket amzn-s3-demo-bucket --abac-status Status=Disabled --region us-east-2 # Get ABAC status on a general purpose bucket aws s3api get-bucket-abac --bucket amzn-s3-demo-bucket --region us-east-2 ``` # Creating general purpose buckets with tags You can tag Amazon S3 general purpose buckets when you create them. There is no additional charge for using tags on buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging buckets, see [Using tags with S3 general purpose buckets](buckets-tagging.md). ## Permissions To create a bucket with tags, you must have the following permissions: + `s3:CreateBucket` + `s3:TagResource` Amazon S3 Console and CloudFormation now use this capability to create buckets with tags. ## Troubleshooting errors If you encounter an error when attempting to create a bucket with tags, you can do the following: + Verify that you have the required [Permissions](#bucket-create-tag-permissions) to create the bucket and add a tag to it. + Check your IAM policy for `aws:TagKeys` or `aws:RequestTag/key-name` condition keys. You might be required to label your buckets only with specific tag keys and values. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac). **Note** Amazon S3 and CloudFormation now use this capability to create buckets with tags. When creating buckets with tags, note that tag-based conditions to access your bucket using `aws:ResourceTag` and `s3:BucketTag` condition keys are applicable only after you enable ABAC on the bucket. To learn more, see [Enabling ABAC in general purpose buckets](buckets-tagging-enable-abac.md). ## Steps You can create a bucket with tags applied by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs. ## Using the S3 console To create a bucket with tags using the Amazon S3 console: 1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **buckets**. 1. Choose **create bucket** to create a new bucket. 1. Create a bucket a general purpose bucket as you normally would; see [Creating a general purpose bucket](create-bucket-overview.md). 1. On the **Create bucket** page, **Tags** is an option when creating a new bucket. 1. Enter a name for the bucket. For more information, see [General purpose bucket naming rules](bucketnamingrules.md). 1. Choose **Add new Tag** to open the Tags editor and enter a tag key-value pair. The tag key is required, but the value is optional. 1. To add another tag, select **Add new Tag** again. You can enter up to 50 tag key-value pairs. 1. After you complete specifying the options for your new bucket, choose **Create bucket**. ## Using the AWS SDKs ------ #### [ SDK for Java 2.x ] This example shows you how to create a general purpose bucket with tags by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information. ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3.S3Client; import software.amazon.awssdk.services.s3.model.BucketLocationConstraint; import software.amazon.awssdk.services.s3.model.CreateBucketConfiguration; import software.amazon.awssdk.services.s3.model.CreateBucketRequest; import software.amazon.awssdk.services.s3.model.CreateBucketResponse; import software.amazon.awssdk.services.s3.model.Tag; public class CreateBucketWithTagsExample { public static void createBucketWithTagsExample() { S3Client s3 = S3Client.builder().region(Region.US_WEST_2).build(); CreateBucketConfiguration bucketConfiguration = CreateBucketConfiguration.builder() .locationConstraint(BucketLocationConstraint.US_WEST_2) .tags(Tag.builder().key("MyTagKey").value("MyTagValue").build()) .build(); CreateBucketRequest createBucketRequest = CreateBucketRequest.builder() .bucket("mybucket") .createBucketConfiguration(bucketConfiguration) .build(); CreateBucketResponse response = s3.createBucket(createBucketRequest); System.out.println("Status code (should be 200):"); System.out.println(response.sdkHttpResponse().statusCode()); } } ``` ------ ## Using the REST API For information about the Amazon S3 REST API support for creating a general purpose bucket with tags, see the following section in the *Amazon Simple Storage Service API Reference*: + [CreateBucket](https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateBucket.html) ## Using the AWS CLI To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*. The following CLI example shows you how to create a bucket with tags by using the AWS CLI. To use the command replace the *user input placeholders* with your own information. When you create a bucket, you must provide configuration details and use the following naming convention: `amzn-s3-demo-bucket` **Request:** ``` aws s3api create-bucket \ --bucket mybucket \ --create-bucket-configuration 'LocationConstraint=us-west-2,Tags=[{Key=MyTagKey,Value=MyTagValue}]' --region us-west-2" ``` **Response:** ``` { "Location": "http://mybuckets3.amazonaws.com/" } ``` # Adding a tag to a bucket You can add tags to Amazon S3 buckets and modify these tags. There is no additional charge for using tags on buckets beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging buckets, see [Using tags with S3 general purpose buckets](buckets-tagging.md). ## Permissions To add a tag to a bucket, you must have the following permission: + `s3:TagResource` ## Troubleshooting errors If you encounter an error when attempting to add a tag to a bucket, you can do the following: + Verify that you have the required [Permissions](#bucket-tag-add-permissions) to add a tag to a bucket. + If you attempted to add a tag key that starts with the AWS reserved prefix `aws:`, change the tag key and try again. ## Steps You can add tags to buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs. ## Using the S3 console To add tags to a bucket using the Amazon S3 console: 1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **buckets**. 1. Choose the bucket name. 1. Choose the **Properties** tab. 1. Scroll to the **Tags** section and choose **Add new Tag**. 1. This opens the **Add Tags** page. You can enter up to 50 tag key value pairs. 1. If you add a new tag with the same key name as an existing tag, the value of the new tag overrides the value of the existing tag. 1. You can also edit the values of existing tags on this page. 1. After you have added the tag(s), choose **Save changes**. ## Using the AWS SDKs ------ #### [ SDK for Java 2.x ] This example shows you how to add tags to a general purpose bucket by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information. ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.Tag; import software.amazon.awssdk.services.s3control.model.TagResourceRequest; import software.amazon.awssdk.services.s3control.model.TagResourceResponse; public class TagResourceExample { public static void tagResourceExample() { S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build(); TagResourceRequest tagResourceRequest = TagResourceRequest.builder() .resourceArn("arn:aws::s3:::bucket/my-bucket") .accountId("111122223333") .tags(Tag.builder().key("MyTagKey").value("MyTagValue").build()) .build(); TagResourceResponse response = s3Control.tagResource(tagResourceRequest); System.out.println("Status code (should be 204):"); System.out.println(response.sdkHttpResponse().statusCode()); } } ``` ------ ## Using the REST API For information about the Amazon S3 REST API support for adding tags to a general purpose bucket, see the following section in the *Amazon Simple Storage Service API Reference*: + [TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_TagResource.html) ## Using the AWS CLI To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*. The following CLI example shows you how to add tags to a general purpose bucket by using the AWS CLI. To use the command replace the *user input placeholders* with your own information. **Request:** ``` aws s3control tag-resource --resource-arn arn:aws:s3:::amzn-s3-demo-bucket --region us-east-2 --account-id 444455556666 --tags '[{"Key":"mykey","Value":"myvalue"}]' ``` # Viewing bucket tags You can view or list tags applied to S3 buckets. For more information about tags, see [Using tags with S3 general purpose buckets](buckets-tagging.md). ## Permissions To view tags applied to a bucket, you must have the following permission: + `s3:ListTagsForResource` ## Troubleshooting errors If you encounter an error when attempting to list or view the tags of a bucket, you can do the following: + Verify that you have the required [Permissions](#bucket-tag-view-permissions) to view or list the tags of the bucket. ## Steps You can view tags applied to buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs. ## Using the S3 console To view tags applied to a bucket using the Amazon S3 console: 1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **buckets**. 1. Choose the bucket name. 1. Choose the **Properties** tab. 1. Scroll to the **Tags** section to view all of the tags applied to the general purpose bucket. 1. The **Tags** section shows the **User-defined tags** by default. You can select the **AWS-generated tags** tab to view tags applied to your bucket by AWS services. ## Using the AWS SDKs This section provides an example of how to view tags applied to a general purpose bucket by using the AWS SDKs. ------ #### [ SDK for Java 2.x ] This example shows you how to view tags applied to a general purpose bucket by using the AWS SDK for Java 2.x. ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.ListTagsForResourceRequest; import software.amazon.awssdk.services.s3control.model.ListTagsForResourceResponse; public class ListTagsForResourceExample { public static void listTagsForResourceExample() { S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build(); ListTagsForResourceRequest listTagsForResourceRequest = ListTagsForResourceRequest.builder() .resourceArn("arn:aws::s3:::bucket/my-bucket") .accountId("111122223333") .build(); ListTagsForResourceResponse response = s3Control.listTagsForResource(listTagsForResourceRequest); System.out.println("Tags on my resource:"); System.out.println(response.toString()); } } ``` ------ ## Using the REST API For information about the Amazon S3 REST API support for viewing the tags applied to a general purpose bucket, see the following section in the *Amazon Simple Storage Service API Reference*: + [ListTagsforResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_ListTagsForResource.html) ## Using the AWS CLI To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*. The following CLI example shows you how to view tags applied to a bucket. To use the command replace the *user input placeholders* with your own information. **Request:** ``` aws s3control list-tags-for-resource \ --account-id 111122223333 \ --resource-arn arn:aws::s3:us-east-1:444455556666:bucket/prefix--use1-az4--x-s3 \ ``` **Response - tags present:** ``` { "Tags": [ { "Key": "MyKey1", "Value": "MyValue1" }, { "Key": "MyKey2", "Value": "MyValue2" }, { "Key": "MyKey3", "Value": "MyValue3" } ] } ``` **Response - no tags present:** ``` { "Tags": [] } ``` # Deleting a tag from a bucket You can remove tags from S3 buckets. An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 buckets. For more information about tags, see [Using tags with S3 general purpose buckets](buckets-tagging.md). **Note** If you delete a tag and later learn that it was being used to track costs or for access control, you can add the tag back to the bucket. ## Permissions To delete a tag from a bucket, you must have the following permission: + `s3:UntagResource` ## Troubleshooting errors If you encounter an error when attempting to delete a tag from a bucket, you can do the following: + Verify that you have the required [Permissions](#bucket-tag-delete-permissions) to delete a tag from a bucket. ## Steps You can delete tags from buckets by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs. ## Using the S3 console To delete tags from a bucket using the Amazon S3 console: 1. Sign in to Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/). 1. In the left navigation pane, choose **buckets**. 1. Choose the bucket name. 1. Choose the **Properties** tab. 1. Scroll to the **Tags** section and select the checkbox next to the tag or tags that you would like to delete. 1. Choose **Delete**. 1. The **Delete user-defined tags** pop-up appears and asks you to confirm the deletion of the tag or tags you selected. 1. Choose **Delete** to confirm. ## Using the AWS SDKs ------ #### [ SDK for Java 2.x ] This example shows you how to delete tags from a general purpose bucket by using the AWS SDK for Java 2.x. To use the command replace the *user input placeholders* with your own information. ``` import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.s3control.S3ControlClient; import software.amazon.awssdk.services.s3control.model.UntagResourceRequest; import software.amazon.awssdk.services.s3control.model.UntagResourceResponse; public class UntagResourceExample { public static void untagResourceExample() { S3ControlClient s3Control = S3ControlClient.builder().region(Region.US_WEST_2).build(); UntagResourceRequest untagResourceRequest = UntagResourceRequest.builder() .resourceArn("arn:aws::s3:::bucket/my-bucket") .accountId("111122223333") .tagKeys("myTagKey") .build(); UntagResourceResponse response = s3Control.untagResource(untagResourceRequest); System.out.println("Status code (should be 204):"); System.out.println(response.sdkHttpResponse().statusCode()); } } ``` ------ ## Using the REST API For information about the Amazon S3 REST API support for deleting tags from a general purpose bucket, see the following section in the *Amazon Simple Storage Service API Reference*: + [UnTagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_control_UntagResource.html) ## Using the AWS CLI To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*. The following CLI example shows you how to delete tags from a general purpose bucket by using the AWS CLI. To use the command replace the *user input placeholders* with your own information. **Request:** ``` aws s3control untag-resource \ --resource-arn arn:aws::s3:::amzn-s3-demo-bucket --region us-east-2 --account-id 111122223333 \ --tag-keys "tagkey1" "tagkey2" ```