Skip to content

Update docs for additional tags feature #830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 8, 2025
Merged

Update docs for additional tags feature #830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion config/iam/recommended-inline-policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@
"tag:GetResources",
"firehose:TagDeliveryStream",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
"s3:PutBucketPolicy",
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*"
},
Expand Down
37 changes: 30 additions & 7 deletions docs/guides/additional-tags.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,6 @@ The AWS Gateway API Controller automatically applies some tags to resources it c

The `application-networking.k8s.aws/tags` annotation specifies additional tags that will be applied to AWS resources created.

## Supported Resources

- **HTTPRoute** - Tags applied to VPC Lattice Services, Listeners, Rules, Target Groups, and Service Network Service Associations
- **ServiceExport** - Tags applied to VPC Lattice Target Groups
- **AccessLogPolicy** - Tags applied to VPC Lattice Access Log Subscriptions
- **VpcAssociationPolicy** - Tags applied to VPC Lattice Service Network VPC Associations

## Usage

Add comma separated key=value pairs to the annotation:
Expand All @@ -36,3 +29,33 @@ metadata:
spec:
# ... rest of spec
```

## Required IAM Permissions

For the additional tags functionality to work properly, the IAM role linked to the controller's service account must also include these permissions:

```json
{
"Effect": "Allow",
"Action": [
"tag:TagResources",
"tag:UntagResources"
],
"Resource": "*"
}
```

### How to Ensure You Have These Permissions

The `config/iam/recommended-inline-policy.json` file contains all the required permissions including these tagging permissions.

- **If you are setting up for the first time**: The recommended inline policy already includes all the required permissions.
- **If you used the setup steps in the [deploy guide](https://www.gateway-api-controller.eks.aws.dev/latest/guides/deploy/#setup)**: You need to update the existing `VPCLatticeControllerIAMPolicy` to include the updated permissions.


## Supported Resources

- **HTTPRoute** - Tags applied to VPC Lattice Services, Listeners, Rules, Target Groups, and Service Network Service Associations
- **ServiceExport** - Tags applied to VPC Lattice Target Groups
- **AccessLogPolicy** - Tags applied to VPC Lattice Access Log Subscriptions
- **VpcAssociationPolicy** - Tags applied to VPC Lattice Service Network VPC Associations
1 change: 1 addition & 0 deletions mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ nav:
- TLS Passthrough: guides/tls-passthrough.md
- Pod Readiness Gates: guides/pod-readiness-gates.md
- Configuration: guides/environment.md
- Additional Tags: guides/additional-tags.md
- API Specification: api-reference.md
- API Reference:
- AccessLogPolicy: api-types/access-log-policy.md
Expand Down