Add tags to AWS resources
This guide demonstrates how to add tags to AWS S3 buckets and ECR repositories using Port self-service actions and GitHub Actions.
This guide includes steps that require integration with GitHub:
- GitHub (Ocean) - uses the Ocean framework. We strongly recommend this integration for new and migrated setups.
- GitHub (Sunset) - uses a GitHub app that is in sunset and will be fully deprecated on September 15, 2026.
Common use cases
- Standardize ownership, environment, and cost allocation tags on AWS resources.
- Let developers update resource tags without direct AWS console access.
- Apply consistent tagging workflows for S3 buckets and ECR repositories from Port.
Prerequisites
-
An AWS access key and secret key pair. See the AWS access keys documentation to create one.
-
The required AWS permissions for the resources you want to tag:
- S3 buckets:
AmazonS3FullAccess. - ECR repositories:
AmazonEC2ContainerRegistryFullAccess.
- S3 buckets:
-
Your AWS account ID. This is required for tagging ECR repositories.
-
A GitHub repository for the workflows used by these Port actions.
-
A GitHub integration:
- GitHub (Ocean)
- GitHub (Sunset)
Install GitHub Ocean.
Install Port's GitHub app.
- The following GitHub Actions secrets in your workflow repository:
AWS_REGION- The AWS region where your S3 buckets or ECR repositories are located.AWS_ACCOUNT_ID- Your AWS account ID. This is required for ECR repositories.AWS_ACCESS_KEY_ID- Your AWS access key ID.AWS_SECRET_ACCESS_KEY- Your AWS secret access key.PORT_CLIENT_ID- Your Port client ID. See the Port API credentials documentation.PORT_CLIENT_SECRET- Your Port client secret. See the Port API credentials documentation.
Set up data model
Create the blueprints for the AWS resource types you want to manage.
You can also ingest AWS resources instead of creating the blueprints manually:
- For S3 buckets, use the AWS exporter to ingest S3 buckets.
- For ECR repositories, use the ECR images and repositories example to create the blueprint and ingest repository entities.
Create the S3 bucket blueprint
-
Go to the Builder page.
-
Click + Blueprint.
-
Click Edit JSON.
-
Copy and paste the following JSON configuration into the editor.
S3 bucket blueprint (Click to expand)
{"identifier": "s3_bucket","description": "","title": "S3 Bucket","icon": "Bucket","schema": {"properties": {"arn": {"type": "string","title": "ARN"},"encryption": {"type": "array","title": "Encryption"},"lifecycleRules": {"type": "array","title": "Lifecycle Rules"},"link": {"type": "string","title": "Link","format": "url"},"publicAccess": {"type": "object","title": "Public Access"},"regionalDomainName": {"type": "string","title": "Regional Domain Name"},"tags": {"type": "array","title": "Tags"},"versioningStatus": {"type": "string","title": "Versioning Status","enum": ["Enabled","Suspended"]}},"required": []},"mirrorProperties": {},"calculationProperties": {},"aggregationProperties": {},"relations": {}} -
Click Save.
Create the ECR repository blueprint
-
Go to the Builder page.
-
Click + Blueprint.
-
Click Edit JSON.
-
Copy and paste the following JSON configuration into the editor.
ECR repository blueprint (Click to expand)
{"identifier": "ecrRepository","description": "This blueprint represents an ECR repository","title": "ECR Repository","icon": "AWS","schema": {"properties": {"registryId": {"type": "string","title": "Registry ID","description": "The ID of the registry"},"arn": {"type": "string","title": "Repository ARN","description": "The ARN of the repository"},"uri": {"type": "string","title": "Repository URI","description": "The URI of the repository"},"createdAt": {"type": "string","title": "Created At","description": "Date and time the repository was created","format": "date-time"},"imageTagMutability": {"type": "string","title": "Image Tag Mutability","description": "The image tag mutability setting for the repository","enum": ["MUTABLE","IMMUTABLE"],"enumColors": {"MUTABLE": "green","IMMUTABLE": "darkGray"}},"configurationScanOnPush": {"type": "boolean","title": "Configuration Scan on Push","description": "Image scanning configuration when pushing images to this repository"},"encryptionType": {"type": "string","title": "Encryption Type","description": "The encryption type of the repository","enum": ["AES256","KMS"],"enumColors": {"AES256": "green","KMS": "blue"}},"kmsKey": {"type": "string","title": "KMS Key","description": "The KMS key used for encryption"}},"required": []},"mirrorProperties": {},"calculationProperties": {},"aggregationProperties": {},"relations": {}} -
Click Save.
Add tags to an S3 bucket
Set up self-service action
Follow the steps below to create a self-service action that triggers the GitHub workflow.
-
Go to the Self-service page of your portal.
-
Click on the + New Action button.
-
Click on the
{...} Edit JSONbutton. -
Copy and paste the following JSON configuration into the editor:
- GitHub (Ocean)
- GitHub (Sunset)
Add tags to S3 bucket action (Click to expand)
Replace the variables<GITHUB_ORG>- your GitHub organization or user name.<GITHUB_REPO>- your GitHub repository name.<YOUR_GITHUB_OCEAN_INTEGRATION_ID>- your GitHub Ocean integration installation ID.
{"identifier": "add_tags_to_s3_bucket","title": "Add tags to S3 bucket","icon": "AWS","description": "Add tags to an S3 bucket","trigger": {"type": "self-service","operation": "DAY-2","userInputs": {"properties": {"tags": {"icon": "DefaultProperty","title": "Tags","type": "object","description": "Tags should be in key-value pairs like so: {\"key\": \"value\"}"}},"required": ["tags"],"order": ["tags"]},"blueprintIdentifier": "s3_bucket"},"invocationMethod": {"type": "INTEGRATION_ACTION","installationId": "<YOUR_GITHUB_OCEAN_INTEGRATION_ID>","integrationActionType": "dispatch_workflow","integrationActionExecutionProperties": {"org": "<GITHUB_ORG>","repo": "<GITHUB_REPO>","workflow": "add-tags-to-s3-bucket.yml","workflowInputs": {"tags": "{{ .inputs.\"tags\" }}","port_context": {"entity": "{{ .entity }}","blueprint": "{{ .action.blueprint }}","runId": "{{ .run.id }}","trigger": "{{ .trigger }}"}},"reportWorkflowStatus": true}},"requiredApproval": false}Add tags to S3 bucket action (Click to expand)
Replace the variables<GITHUB_ORG>- your GitHub organization or user name.<GITHUB_REPO>- your GitHub repository name.
{"identifier": "add_tags_to_s3_bucket","title": "Add tags to S3 bucket","icon": "AWS","description": "Add tags to an S3 bucket","trigger": {"type": "self-service","operation": "DAY-2","userInputs": {"properties": {"tags": {"icon": "DefaultProperty","title": "Tags","type": "object","description": "Tags should be in key-value pairs like so: {\"key\": \"value\"}"}},"required": ["tags"],"order": ["tags"]},"blueprintIdentifier": "s3_bucket"},"invocationMethod": {"type": "GITHUB","org": "<GITHUB_ORG>","repo": "<GITHUB_REPO>","workflow": "add-tags-to-s3-bucket.yml","workflowInputs": {"tags": "{{ .inputs.\"tags\" }}","port_context": {"entity": "{{ .entity }}","blueprint": "{{ .action.blueprint }}","runId": "{{ .run.id }}","trigger": "{{ .trigger }}"}},"reportWorkflowStatus": true},"requiredApproval": false} -
Click Save to create the action.
Create the GitHub workflow
Create a workflow file under .github/workflows/add-tags-to-s3-bucket.yml with the content below:
Add tags to S3 bucket workflow (Click to expand)
name: Add tags to S3 bucket
on:
workflow_dispatch:
inputs:
tags:
required: true
type: string
port_context:
required: true
type: string
jobs:
tag-s3-bucket:
runs-on: ubuntu-latest
steps:
- name: Inform starting of action
uses: port-labs/port-github-action@v1
with:
clientId: ${{ secrets.PORT_CLIENT_ID }}
clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
baseUrl: https://api.port.io
operation: PATCH_RUN
runId: ${{ fromJson(inputs.port_context).runId }}
logMessage: |
Starting a GitHub workflow to tag the S3 bucket: ${{ fromJson(inputs.port_context).entity.identifier }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Install jq
run: sudo apt-get install jq
- name: Add tags to S3 bucket
env:
BUCKET_NAME: ${{ fromJson(inputs.port_context).entity.identifier }}
TAGS_JSON: ${{ inputs.tags }}
run: |
TAGGING=$(echo "${TAGS_JSON}" | jq -c '{TagSet: [to_entries[] | {Key: .key, Value: .value}]}')
aws s3api put-bucket-tagging \
--bucket "${BUCKET_NAME}" \
--tagging "${TAGGING}"
- name: Create a log message
uses: port-labs/port-github-action@v1
with:
clientId: ${{ secrets.PORT_CLIENT_ID }}
clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
baseUrl: https://api.port.io
operation: PATCH_RUN
runId: ${{ fromJson(inputs.port_context).runId }}
logMessage: Added tags to ${{ fromJson(inputs.port_context).entity.identifier }}
Test the flow
-
Go to the Self-service page of your portal.
-
Select the Add tags to S3 bucket action on an S3 bucket entity.
-
Enter the tags as key-value pairs.
-
Click Execute to trigger the GitHub workflow.
Add tags to an ECR repository
Set up self-service action
Follow the steps below to create a self-service action that triggers the GitHub workflow.
-
Go to the Self-service page of your portal.
-
Click on the + New Action button.
-
Click on the
{...} Edit JSONbutton. -
Copy and paste the following JSON configuration into the editor:
- GitHub (Ocean)
- GitHub (Sunset)
Add tags to ECR repository action (Click to expand)
Replace the variables<GITHUB_ORG>- your GitHub organization or user name.<GITHUB_REPO>- your GitHub repository name.<YOUR_GITHUB_OCEAN_INTEGRATION_ID>- your GitHub Ocean integration installation ID.
{"identifier": "ecrRepository_add_tags_to_ecr_repository","title": "Add tags to ECR repository","icon": "AWS","description": "Add tags to an AWS ECR repository","trigger": {"type": "self-service","operation": "DAY-2","userInputs": {"properties": {"repository": {"icon": "DefaultProperty","title": "Repository","type": "string","blueprint": "ecrRepository","description": "Select the ECR repository entity to tag.","format": "entity"},"tags": {"icon": "DefaultProperty","title": "Tags","type": "object","description": "Tags should be in key-value pairs like so: {\"key\": \"value\"}"}},"required": ["repository","tags"],"order": ["repository","tags"]},"blueprintIdentifier": "ecrRepository"},"invocationMethod": {"type": "INTEGRATION_ACTION","installationId": "<YOUR_GITHUB_OCEAN_INTEGRATION_ID>","integrationActionType": "dispatch_workflow","integrationActionExecutionProperties": {"org": "<GITHUB_ORG>","repo": "<GITHUB_REPO>","workflow": "add-tags-to-ecr-repository.yml","workflowInputs": {"repository": "{{ .inputs.\"repository\" | if type == \"array\" then map(.identifier) else .identifier end }}","tags": "{{ .inputs.\"tags\" }}","port_context": {"entity": "{{ .entity }}","blueprint": "{{ .action.blueprint }}","runId": "{{ .run.id }}","trigger": "{{ .trigger }}"}},"reportWorkflowStatus": true}},"requiredApproval": false}Add tags to ECR repository action (Click to expand)
Replace the variables<GITHUB_ORG>- your GitHub organization or user name.<GITHUB_REPO>- your GitHub repository name.
{"identifier": "ecrRepository_add_tags_to_ecr_repository","title": "Add tags to ECR repository","icon": "AWS","description": "Add tags to an AWS ECR repository","trigger": {"type": "self-service","operation": "DAY-2","userInputs": {"properties": {"repository": {"icon": "DefaultProperty","title": "Repository","type": "string","blueprint": "ecrRepository","description": "Select the ECR repository entity to tag.","format": "entity"},"tags": {"icon": "DefaultProperty","title": "Tags","type": "object","description": "Tags should be in key-value pairs like so: {\"key\": \"value\"}"}},"required": ["repository","tags"],"order": ["repository","tags"]},"blueprintIdentifier": "ecrRepository"},"invocationMethod": {"type": "GITHUB","org": "<GITHUB_ORG>","repo": "<GITHUB_REPO>","workflow": "add-tags-to-ecr-repository.yml","workflowInputs": {"repository": "{{ .inputs.\"repository\" | if type == \"array\" then map(.identifier) else .identifier end }}","tags": "{{ .inputs.\"tags\" }}","port_context": {"entity": "{{ .entity }}","blueprint": "{{ .action.blueprint }}","runId": "{{ .run.id }}","trigger": "{{ .trigger }}"}},"reportWorkflowStatus": true},"requiredApproval": false} -
Click Save to create the action.
Create the GitHub workflow
Create a workflow file under .github/workflows/add-tags-to-ecr-repository.yml with the content below:
Add tags to ECR repository workflow (Click to expand)
name: Add tags to ECR repository
on:
workflow_dispatch:
inputs:
repository:
type: string
required: true
tags:
type: string
required: true
description: 'Tags should be in key-value pairs like so: {"key": "value"}'
port_context:
required: true
description: Action and general Port context.
type: string
jobs:
tag-ecr-repository:
runs-on: ubuntu-latest
steps:
- name: Create a log message
uses: port-labs/port-github-action@v1
with:
clientId: ${{ secrets.PORT_CLIENT_ID }}
clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
baseUrl: https://api.port.io
operation: PATCH_RUN
runId: ${{ fromJson(inputs.port_context).runId }}
logMessage: Starting request to add tags to ECR repository
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Install jq
run: sudo apt-get install jq
- name: Add tags to ECR repository
env:
TAGS_JSON: ${{ inputs.tags }}
run: |
TAGS=$(echo "${TAGS_JSON}" | jq -r '. | to_entries[] | "Key=\(.key),Value=\(.value)"' | tr '\n' ' ')
aws ecr tag-resource \
--resource-arn arn:aws:ecr:${{ secrets.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:repository/${{ inputs.repository }} \
--tags ${TAGS}
- name: Create a log message
uses: port-labs/port-github-action@v1
with:
clientId: ${{ secrets.PORT_CLIENT_ID }}
clientSecret: ${{ secrets.PORT_CLIENT_SECRET }}
baseUrl: https://api.port.io
operation: PATCH_RUN
runId: ${{ fromJson(inputs.port_context).runId }}
logMessage: Finished adding tags to ECR repository
Test the flow
-
Go to the Self-service page of your portal.
-
Select the Add tags to ECR repository action.
-
Select the ECR repository entity and enter the tags as key-value pairs.
-
Click Execute to trigger the GitHub workflow.