Dynamically Add Tags to Machines

Use Case

  • Dynamically add a tag when a machine is provisioned.


  • Tags are a vital tool for enabling cost allocation, chargeback, and in-depth understanding of how infrastructure (public and/or private) is being leveraged across your company. The challenge is ensuring tags are always consistently applied. This can become an issue because the responsibility is on the person provisioning the machine to not only apply the tag but know the tagging nomenclature and apply it properly.
  • ClearGLASS solves this problem by allowing an admin to set pre-define tags, associate them to individual and/or teams, and automate the tagging process, ensuring consistency and accuracy.

Configuration Instructions

Use Role-Based Access Control to set the tags for individuals or teams. In this example, I will use only one cloud, AWS, but note that you can use this feature across heterogeneous infrastructure.

  • Rule 1: You must enable the “Read” action for a particular cloud, which ensures you can add and enforce rules for an individual and/or team.
  • Rule 2: Enable “Create Resources.” This will allow any member of a team to provision a machine but no other actions.
  • Rule 3: Next, enable the “machine” resource and “all” action plus, “where tags”. Now, add the tag; you can use a name or key value pair.
  • Rule 4: enable an SSH key.
  • Deny everything else.
  • In the example below, any member of the team with this team policy can provision machines on EC2 N. Virgina and the dev=team1 tag will dynamically be added to the machine. The user will not be able to edit the tag, unless the admin gives the user permissions to edit tags.


content/en_us/cg_dynamically-adding-tags-to-machines.txt · Last modified: 2018/03/14 12:14 by cjones