Multi-Cloud Setup Guide

This guide walks you through creating credentials for both Azure and AWS with the minimal permissions needed to manage resource tags using TagFixer. Following these steps ensures you follow the principle of least privilege.

Azure App Registration Setup

Prerequisites

Access to the Azure Portal with permissions to create App Registrations and assign roles at the subscription level.
An active Azure subscription where you want to manage tags.

Step 1: Create the App Registration

Navigate to Azure Active Directory in the Azure Portal.
Create a New Registration:
- Go to App registrations and click + New registration.
- Name: Give it a name like TagFixer-Application.
- Supported account types: Select "Accounts in this organizational directory only".
- Leave Redirect URI blank and click Register.
Copy Credentials: From the app's overview page, copy and save the Application (client) ID and the Directory (tenant) ID.

Step 2: Create Client Secret

Generate Secret: In your app registration, go to Certificates & secrets and click + New client secret.
Copy Secret Value: ⚠️ IMPORTANT: After adding the secret, immediately copy the Value and store it securely. It will not be shown again.

Step 3: Assign Subscription Permissions

Navigate to your Subscription in the Azure Portal and go to Access control (IAM).
Add Role Assignment: Click + Add → Add role assignment.
Select Role: On the Role tab, search for and select the "Tag Contributor" role. This role provides the minimum permissions required to read and write tags without being able to modify resources.
Select Members: On the Members tab, find and select the App Registration you created (e.g., TagFixer-Application).
Review and Assign: Review the details and confirm the assignment.

Azure Summary

You now have the three required credentials to use TagFixer with Azure:

✅ Client ID (Application ID)
✅ Client Secret (Secret Value)
✅ Tenant ID (Directory ID)

AWS IAM User Setup

Prerequisites

Access to the AWS Console with permissions to create IAM users and policies.
An active AWS account where you want to manage tags.

Step 1: Create IAM Policy

Navigate to IAM in the AWS Console.
Create Policy:
- Go to Policies and click Create policy.
- Click on the JSON tab and paste the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TagAPIAlternatives",
            "Effect": "Allow",
            "Action": [
                "tag:GetResources",
                "tag:TagResources",
                "tag:UntagResources",
                "tag:GetTagKeys",
                "tag:GetTagValues"
            ],
            "Resource": "*"
        },
        {
            "Sid": "BasicResourceDiscovery",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeImages",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVolumes",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeRouteTables",
                "ec2:DescribeNatGateways",
                "ec2:DescribeRegions",
                "s3:ListAllMyBuckets",
                "s3:GetBucketTagging",
                "lambda:ListFunctions",
                "rds:DescribeDBInstances",
                "rds:DescribeDBClusters",
                "elasticloadbalancing:DescribeLoadBalancers",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "dynamodb:ListTables",
                "dynamodb:DescribeTable",
                "sns:ListTopics",
                "sqs:ListQueues",
                "cloudwatch:DescribeAlarms",
                "kinesis:ListStreams",
                "ecr:DescribeRepositories"
            ],
            "Resource": "*"
        },
        {
            "Sid": "TaggingOperations",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "s3:PutBucketTagging",
                "lambda:TagResource",
                "lambda:UntagResource",
                "rds:AddTagsToResource",
                "rds:RemoveTagsFromResource",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags",
                "cloudformation:TagResource",
                "cloudformation:UntagResource",
                "dynamodb:TagResource",
                "dynamodb:UntagResource",
                "sns:TagResource",
                "sns:UntagResource",
                "sqs:TagQueue",
                "sqs:UntagQueue",
                "cloudwatch:TagResource",
                "cloudwatch:UntagResource",
                "kinesis:AddTagsToStream",
                "kinesis:RemoveTagsFromStream",
                "ecr:TagResource",
                "ecr:UntagResource"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMReadOnlyForTagging",
            "Effect": "Allow",
            "Action": [
                "iam:ListPolicies",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:GetPolicy",
                "iam:GetRole",
                "iam:GetUser",
                "iam:ListPolicyTags",
                "iam:ListRoleTags",
                "iam:ListUserTags"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IAMTaggingOperations",
            "Effect": "Allow",
            "Action": [
                "iam:TagPolicy",
                "iam:UntagPolicy",
                "iam:TagRole",
                "iam:UntagRole",
                "iam:TagUser",
                "iam:UntagUser"
            ],
            "Resource": "*"
        },
        {
            "Sid": "STSAccess",
            "Effect": "Allow",
            "Action": [
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

Name the Policy: Give it a name like TagFixerPolicy and click Create policy.

Alternative: AWS Managed Policy

If you prefer not to create a custom policy, you can use the AWS managed policy ResourceGroupsandTagEditorFullAccess instead. However, this policy is more permissive than necessary and grants broader access than TagFixer requires.

⚠️ Security Note: For production environments, we recommend using the custom policy above that follows the principle of least privilege.

Step 2: Create IAM User

Create User: In IAM, go to Users and click Create user.
User Details:
- Username: Give it a name like tagfixer-user.
- Do not check "Provide user access to AWS Management Console" as this is for programmatic access only.
Attach Policy: On the permissions page, select "Attach policies directly" and search for either:
- TagFixerPolicy (if you created the custom policy above) - Recommended
- ResourceGroupsandTagEditorFullAccess (AWS managed policy) - More permissive
Review and Create: Review the details and create the user.

Step 3: Create Access Keys

Generate Keys: Click on the newly created user, go to the Security credentials tab, and click Create access key.
Select Use Case: Choose "Application running outside AWS".
Copy Credentials: ⚠️ IMPORTANT: Copy both the Access key ID and Secret access key and store them securely. The secret key will not be shown again.

AWS Summary

You now have the credentials needed to use TagFixer with AWS:

✅ Access Key ID
✅ Secret Access Key