# Using tags with S3 vector indexes
Tagging vector indexes

An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 vector indexes. You can tag S3 vector indexes when you create them or manage tags on existing vector indexes. For general information about tags, see [Tagging for cost allocation or attribute-based access control (ABAC)](tagging.md).

**Note**  
There is no additional charge for using tags on vector indexes beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://aws.amazon.com/s3/pricing/).

## Common ways to use tags with vector indexes


Use tags on your S3 vector indexes for:
+ **Cost allocation** – Track storage costs by vector index tag in AWS Billing and Cost Management. For more information, see [Using tags for cost allocation](tagging.md#using-tags-for-cost-allocation).
+ **Attribute-based access control (ABAC)** – Scale access permissions and grant access to S3 vector indexes based on their tags. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac).

**Note**  
You can use the same tags for both cost allocation and access control.

### ABAC for S3 vector indexes


Amazon S3 vector indexes support attribute-based access control (ABAC) using tags. Use tag-based condition keys in your AWS organizations, IAM, and S3 vector index policies. For enterprises, ABAC inAmazon S3 supports authorization across multiple AWS accounts.

In your IAM policies, you can control access to S3 vector indexes based on the vector index's tags by using the following global condition keys:

`aws:ResourceTag/key-name`  
Use this key to compare the tag key-value pair that you specify in the policy with the key-value pair attached to the resource. For example, you could require that access to a resource is allowed only if the resource has the attached tag key `Dept` with the value `Marketing`. For more information, see [Controlling access to AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-resources).

`aws:RequestTag/key-name`  
Use this key to compare the tag key-value pair that was passed in the request with the tag pair that you specify in the policy. For example, you could check whether the request includes the tag key `Dept` and that it has the value `Accounting`. For more information, see [Controlling access during AWS requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-requests). You can use this condition key to restrict which tag key-value pairs can be passed during the `TagResource` and `CreateIndex` API operations.

`aws:TagKeys`  
Use this key to compare the tag keys in a request with the keys that you specify in the policy. We recommend that when you use policies to control access using tags, use the `aws:TagKeys` condition key to define what tag keys are allowed. For example policies and more information, see [Controlling access based on tag keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys). You can create an S3 vector index with tags. To allow tagging during the `CreateVectorBucket` API operation, you must create a policy that includes both the `s3vectors:TagResource` and `s3vectors:CreateVectorBucket` actions. You can then use the `aws:TagKeys` condition key to enforce using specific tags in the `CreateVectorBucket` request.

### Example ABAC policies for vector indexes


See the following example ABAC policies for Amazon S3 vector indexes.

#### 1.1 - IAM policy to create or modify vector indexes with specific tags


In this IAM policy, users or roles with this policy can only create S3 vector indexes if they tag the vector index with the tag key `project` and tag value `Trinity` in the vector index creation request. They can also add or modify tags on existing S3 vector indexes as long as the `TagResource` request includes the tag key-value pair `project:Trinity`. This policy does not grant read, write, or delete permissions on the vector indexes or its objects.

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "CreateVectorIndexWithTags",
      "Effect": "Allow",
      "Action": [
        "s3vectors:CreateIndex",
        "s3vectors:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/project": [
            "Trinity"
          ]
        }
      }
    }
  ]
}
```

#### 1.2 - IAM policy to modify tags on existing resources maintaining tagging governance


In this IAM policy, IAM principals (users or roles) can modify tags on a vector index only if the value of the vector index's `project` tag matches the value of the principal's `project` tag. Only the four tags `project`, `environment`, `owner`, and `cost-center` specified in the `aws:TagKeys` condition keys are permitted for these vector indexes. This helps enforce tag governance, prevents unauthorized tag modifications, and keeps the tagging schema consistent across your vector indexes.

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "EnforceTaggingRulesOnModification",
      "Effect": "Allow",
      "Action": [
        "s3vectors:TagResource"
      ],
      "Resource": "arn:aws::s3vectors:us-west-2:111122223333:bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/project": "${aws:PrincipalTag/project}"
        },
        "ForAllValues:StringEquals": {
          "aws:TagKeys": [
            "project",
            "environment",
            "owner",
            "cost-center"
          ]
        }
      }
    }
  ]
}
```

# Managing tags for vector indexes


You can add or manage tags for S3 vector indexes using the Amazon S3 Console, the AWS Command Line Interface (AWS CLI), the AWS SDKs, or using the S3 APIs: [TagResource](https://docs.aws.amazon.com/), [UntagResource](https://docs.aws.amazon.com/), and [ListTagsForResource](https://docs.aws.amazon.com/). For more information, see:

**Topics**
+ [

# Creating vector indexes with tags
](creating-vector-indexes-with-tags.md)
+ [

# Adding a tag to a vector index
](adding-tag-vector-index.md)
+ [

# Viewing vector index tags
](viewing-vector-index-tags.md)
+ [

# Deleting a tag from a vector index
](deleting-tag-vector-index.md)

# Creating vector indexes with tags


You can tag Amazon S3 vector indexes when you create them. There is no additional charge for using tags on vector indexes beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging vector indexes, see [Using tags with S3 vector indexes](vector-index-tagging.md).

## Permissions


To create a vector index with tags, you must have the following permissions:
+ `s3vectors:CreateIndex`
+ `s3vectors:TagResource`

## Troubleshooting errors


If you encounter an error when attempting to create a vector index with tags, you can do the following:
+ Verify that you have the required [Permissions](#index-tags-permissions) to create the vector index and add a tag to it.
+ Check your IAM user policy for any attribute-based access control (ABAC) conditions. You may be required to label your vector indexes only with specific tag keys and values. For more information, see [Using tags for attribute-based access control (ABAC)](tagging.md#using-tags-for-abac).

## Steps


You can create a vector index with tags applied by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.

### Using the S3 console


**To create a vector index with tags using the Amazon S3 console**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the left navigation pane, choose **vector indexes**.

1. Choose **create vector index** to create a new vector index.

1. Create a vector index as you normally would; see [Creating a vector index in a vector bucket](s3-vectors-create-index.md).

1. On the **Create vector index** page, **Tags** is an option when creating a new vector index.

1. Enter a name for the vector index.

1. Choose **Add new Tag** to open the Tags editor and enter a tag key-value pair. The tag key is required, but the value is optional.

1. To add another tag, select **Add new Tag** again. You can enter up to 50 tag key-value pairs.

1. After you complete specifying the options for your new vector index, choose **Create vector index**.

### Using the REST API


For information about the Amazon S3 REST API support for creating a vector index with tags, see the following section in the *Amazon S3 Vectors API Reference*:

[CreateIndex](https://docs.aws.amazon.com/AmazonS3/latest/API/API_S3VectorBuckets_CreateIndex.html)

### Using the AWS CLI


To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.

The following CLI example shows you how to create a vector index with tags by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.

When you create a vector index you must provide configuration details and use the following naming convention: `example-vector-index`

```
aws s3vectors create-index --vector-bucket-name acc-bucket --data-type "float32" \
 --index-name accounts-index --dimension 1024 --distance-metric euclidean \
 --tags Department=Accounting,Stage=Prod
```

# Adding a tag to a vector index


You can add tags to Amazon S3 vector indexes and modify these tags. There is no additional charge for using tags on vector indexes beyond the standard S3 API request rates. For more information, see [Amazon S3 pricing](https://docs.aws.amazon.com/s3/pricing/). For more information about tagging vector indexes, see [Using tags with S3 vector indexes](vector-index-tagging.md).

## Permissions


To add a tag to a vector index, you must have the following permission:
+ `s3vectors:TagResource`

## Troubleshooting errors


If you encounter an error when attempting to add a tag to a vector index, you can do the following:
+ Verify that you have the required [Permissions](#add-index-tag-permissions) to add a tag to a vector index.
+ If you attempted to add a tag key that starts with the AWS reserved prefix `aws:`, change the tag key and try again.

## Steps


You can add tags to vector indexes by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWSSDKs.

### Using the S3 console


**To add tags to a vector index using the Amazon S3 console**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the left navigation pane, choose **vector indexes**.

1. Choose the vector index name.

1. Choose the **Properties** tab.

1. Scroll to the **Tags** section and choose **Add new Tag**.

1. This opens the **Add Tags** page. You can enter up to 50 tag key value pairs.

1. If you add a new tag with the same key name as an existing tag, the value of the new tag overrides the value of the existing tag.

1. You can also edit the values of existing tags on this page.

1. After you have added the tag(s), choose **Save changes**.

### Using the REST API


For information about the Amazon S3 REST API support for adding tags to a vector index, see the following section in the *Amazon S3 Vectors API Reference*:

[TagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_S3VectorBuckets_TagResource.html)

### Using the AWS CLI


To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.

The following CLI example shows you how to add tags to a vector index by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.

```
aws s3vectors tag-resource \
--resource-arn arn:aws:s3vectors:us-east-1:012345678900:bucket/acc-bucket/index/accounts-index \
--tags Stage=Prod,CostCenter=Marketing
```

# Viewing vector index tags


You can view or list tags applied to Amazon S3 vector indexes. For more information about tagging vector indexes, see [Using tags with S3 vector indexes](vector-index-tagging.md).

## Permissions


To view tags applied to a vector index, you must have the following permission:
+ `s3vectors:ListTagsForResource`

## Troubleshooting errors


If you encounter an error when attempting to list or view the tags of a vector index, you can do the following:
+ Verify that you have the required [Permissions](#view-index-tag-permissions) to view or list the tags of the vector index.

## Steps


You can view tags applied to vector indexes by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.

### Using the S3 console


**To view tags applied to a vector index using the Amazon S3 console**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the left navigation pane, choose **vector indexes**.

1. Choose the vector index name.

1. Choose the **Properties** tab.

1. Scroll to the **Tags** section to view all of the tags applied to the vector index.

1. The **Tags** section shows the User-defined tags by default. You can select the AWS-generated tags tab to view tags applied to your vector index by AWS services.

### Using the REST API


For information about the Amazon S3 REST API support for viewing the tags applied to a vector index, see the following section in the Amazon Simple Vectors API Reference:

[ListTagsforResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_S3VectorBuckets_ListTagsForResource.html)

### Using the AWS CLI


To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.

The following CLI example shows you how to view tags applied to a vector index. To use the command replace the *user input placeholders* with your own information.

```
aws s3vectors list-tags-for-resource \ 
  --resource-arn arn:aws:s3vectors:us-east-1:012345678900:bucket/acc-bucket/index/accounts-index
```

# Deleting a tag from a vector index


You can remove tags from S3 vector indexes. An AWS tag is a key-value pair that holds metadata about resources, in this case Amazon S3 vector indexes. For more information about tagging vector indexes, see [Using tags with S3 vector indexes](vector-index-tagging.md).

**Note**  
If you delete a tag and later learn that it was being used to track costs or for access control, you can add the tag back to the vector index.

## Permissions


To delete a tag from a vector index, you must have the following permission:
+ `s3vectors:UntagResource`

## Troubleshooting errors


If you encounter an error when attempting to delete a tag from a vector index, you can do the following:
+ Verify that you have the required [Permissions](#delete-index-tag-permissions) to delete a tag from a vector index.

## Steps


You can delete tags from vector indexes by using the Amazon S3 console, the AWS Command Line Interface (AWS CLI), the Amazon S3 REST API, and AWS SDKs.

### Using the S3 console


**To delete tags from a vector index using the Amazon S3 console**

1. Sign in to the AWS Management Console and open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the left navigation pane, choose **vector indexes**.

1. Choose the vector index name.

1. Choose the **Properties** tab.

1. Scroll to the **Tags** section and select the checkbox next to the tag or tags that you would like to delete.

1. Choose **Delete**.

1. The **Delete user-defined tags** pop-up appears and asks you to confirm the deletion of the tag or tags you selected.

1. Choose **Delete** to confirm.

### Using the REST API


For information about the Amazon S3 REST API support for deleting tags from a vector index, see the following section in the *Amazon S3 Vectors API Reference*:

[UntagResource](https://docs.aws.amazon.com/AmazonS3/latest/API/API_S3VectorBuckets_UntagResource.html)

### Using the AWS CLI


To install the AWS CLI, see [Installing the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the *AWS Command Line Interface User Guide*.

The following CLI example shows you how to delete tags from a vector index by using the AWS CLI. To use the command replace the *user input placeholders* with your own information.

```
aws s3vectors untag-resource \
--resource-arn arn:aws:s3vectors:us-east-1:012345678900:bucket/acc-bucket/index/accounts-index \
--tag-keys CostCenter Department
```