This guide walks you through creating credentials for Azure, AWS, and Google Cloud with the minimal permissions needed to manage resource tags using TagFixer. Following these steps ensures you follow the principle of least privilege.
Need help? If you encounter any issues during setup, please contact our support team at support@tagfixer.com
Azure App Registration Setup
Prerequisites
Access to the Azure Portal with permissions to create App Registrations and assign roles at the subscription level.
An active Azure subscription where you want to manage tags.
Step 1: Create the App Registration
Navigate to Azure Active Directory in the Azure Portal.
Create a New Registration:
Go to App registrations and click + New registration.
Name: Give it a name like TagFixer-Application.
Supported account types: Select "Accounts in this organizational directory only".
Leave Redirect URI blank and click Register.
Copy Credentials: From the app's overview page, copy and save the Application (client) ID and the Directory (tenant) ID.
Step 2: Create Client Secret
Generate Secret: In your app registration, go to Certificates & secrets and click + New client secret.
Copy Secret Value: ⚠️ IMPORTANT: After adding the secret, immediately copy the Value and store it securely. It will not be shown again.
Step 3: Assign Subscription Permissions
Navigate to your Subscription in the Azure Portal and go to Access control (IAM).
Add Role Assignment: Click + Add → Add role assignment.
Select Role: On the Role tab, search for and select the "Tag Contributor" role. This role provides the minimum permissions required to read and write tags without being able to modify resources.
Select Members: On the Members tab, find and select the App Registration you created (e.g., TagFixer-Application).
Review and Assign: Review the details and confirm the assignment.
Azure Summary
You now have the three required credentials to use TagFixer with Azure:
✅ Client ID (Application ID)
✅ Client Secret (Secret Value)
✅ Tenant ID (Directory ID)
AWS IAM User Setup
Prerequisites
Access to the AWS Console with permissions to create IAM users and policies.
An active AWS account where you want to manage tags.
Name the Policy: Give it a name like TagFixerPolicy and click Create policy.
Alternative: AWS Managed Policy
If you prefer not to create a custom policy, you can use the AWS managed policy ResourceGroupsandTagEditorFullAccess instead. However, this policy is more permissive than necessary and grants broader access than TagFixer requires.
⚠️ Security Note: For production environments, we recommend using the custom policy above that follows the principle of least privilege.
Step 2: Create IAM User
Create User: In IAM, go to Users and click Create user.
User Details:
Username: Give it a name like tagfixer-user.
Do not check "Provide user access to AWS Management Console" as this is for programmatic access only.
Attach Policy: On the permissions page, select "Attach policies directly" and search for either:
TagFixerPolicy (if you created the custom policy above) - Recommended
ResourceGroupsandTagEditorFullAccess (AWS managed policy) - More permissive
Review and Create: Review the details and create the user.
Step 3: Create Access Keys
Generate Keys: Click on the newly created user, go to the Security credentials tab, and click Create access key.
Select Use Case: Choose "Application running outside AWS".
Copy Credentials: ⚠️ IMPORTANT: Copy both the Access key ID and Secret access key and store them securely. The secret key will not be shown again.
AWS Summary
You now have the credentials needed to use TagFixer with AWS:
✅ Access Key ID
✅ Secret Access Key
Google Cloud Setup
Takes about 2 minutes. All you need is a GCP project and Owner/Editor access to it.
Step 1 — Open Cloud Shell and run this script
Open Cloud Shell in the GCP Console by clicking the >_ icon in the top-right toolbar, then paste and run this script.
Step 2 — Copy the output into TagFixer
Copy the Project ID printed after === YOUR PROJECT ID ===
Copy everything between === PASTE THIS INTO TAGFIXER === and === DONE === (the full JSON block)
In TagFixer: select Google Cloud Platform, paste the Project ID, paste the JSON, click Save
Security note: The service account uses a minimal custom role. For Compute resources it uses dedicated setLabels permissions. For other services (Storage, BigQuery, Redis, Pub/Sub, Spanner, Artifact Registry) the update permission is required by GCP but is scoped to resource metadata. Services where GCP's update permission grants broader write access than just labels (Cloud Functions, GKE, Cloud Run, Cloud SQL, KMS, Dataproc, Composer) are intentionally excluded from the default script. The script is safe to re-run; each step is idempotent.
Extended permissions active. This script also grants update permission on Cloud Functions, GKE clusters, Cloud Run services, Cloud SQL instances, KMS crypto keys, Dataproc clusters, and Composer environments. GCP does not have label-only write permissions for these services — update grants broader write access beyond labels. Only use this if you understand and accept that risk.
Manual setup (Console UI)
Only needed if you can't use Cloud Shell.
Enable these three APIs in API Library: Cloud Asset API, Compute Engine API, Cloud Storage JSON API
Go to IAM → Roles → Create role. Title: TagFixer Label Manager, ID: tagFixerLabelManager. Add permissions: cloudasset.assets.searchAllResources, compute.instances.list, compute.instances.get, compute.instances.setLabels, storage.buckets.list, storage.buckets.get, storage.buckets.update, resourcemanager.projects.get