Resource Group Tagging API unable to retrieve tags of resources from Global region (IAM Users, Roles)

[jonlao-khoros]

Describe the bug

Get-Resource operation from Resource Group Tagging API returns empty result when the provided resource is in Global region. However, applying tags works for the same resource.

The following will return empty result even if the provided provided has tags associated.

aws resourcegroupstaggingapi get-resources --resource-arn-list {ARN}

Where {ARN} is any global resource, such as IAM User or IAM Role. E.g. arn:aws:iam::1234567890:user/some_user, arn:aws:iam::1234567890:role/some-role

For the same ARN (resource), applying tags works:

aws resourcegroupstaggingapi tag-resources --resource-arn-list {ARN}

Where {ARN} is the same as above (IAM Role, IAM User).

Note: This behavior also exhibits in AWS SDK (Java).

Expected Behavior

Tags of the provided resource (by ARN) should be returned.

e.g.

{
    "ResourceTagMappingList": [
        {
            "ResourceARN": "arn:aws:iam::1234567890:role/some-role",
            "Tags": [
                {
                    "Key": "Tag1",
                    "Value": "foo"
                },
                {
                    "Key": "Tag2",
                    "Value": "bar"
                }
            ]
        }
    ]
}

Current Behavior

Empty tag lists for a resource that does have tags is returned:

{
    "ResourceTagMappingList": []
}

Reproduction Steps

Execute the following command with an ARN that is under Global region:

aws resourcegroupstaggingapi get-resources --resource-arn-list $ARN

Possible Solution

Fix backend of tagging.{region}.amazonaws.com so that for ARN of global resources, it will route to the correct logic similar to aws resourcegroupstaggingapi tag-resources command

Additional Information/Context

No response

CLI version used

aws-cli/2.13.8 Python/3.11.4 Darwin/22.6.0 exe/x86_64 prompt/off

Environment details (OS name and version, etc.)

MacOS 13.5

[RyanFitzSimmonsAK]

Hi @jonlao-khoros, I was able to reproduce this behavior. You mentioned that this also happens with the Java SDK; that means that this is a service API issue. I'm going to move this issue to our cross-SDK repository, and reach out to the service team about it. Thanks for raising this issue. I'll reply here with any updates in the future.

[RyanFitzSimmonsAK]

Ticket # for internal reference : P96705759

[RyanFitzSimmonsAK]

Hi @jonlao-khoros, thanks for your patience. The service team got back to me and explained that this is intended, due to the way that tags in IAM behave.

https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html

From that documentation,

AWS Identity and Access Management (IAM) – at this time, you can tag only the following IAM resources using the Resource Groups Tagging API:

instance-profile

mfa

oidc-provider

policy

role

saml-provider

server-certificate

user

This line of the documentation means that only those resources can be tagged, and that those resources can only be tagged (cannot be gotten by GetResource). Hope that helps, and please let me know if you have any follow-up questions.

[jonlao-khoros]

Thanks for the follow up!
Would be appreciated if the documentation can be a little more clear on GetResource not being supported.

[RyanFitzSimmonsAK]

I'll forward that feedback to the Resource Group Tagging API documentation writers, and let you know in this issue if that clarification is made to the docs.

[RyanFitzSimmonsAK]

"IAM users and roles can only be used in TagResource and UntagResources operations." was added to the note at the top of this page.

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[thpham]

"IAM users and roles can only be used in TagResource and UntagResources operations." was added to the note at the top of this page.

thank you, do you know where to up-vote for the feature ?