aws ec2 create-tags: Tag EC2 Resources in CI
aws ec2 create-tags attaches one or more key/value tags to existing EC2 resources such as instances, volumes, and snapshots, overwriting a tag if the key already exists.
Tags drive cost allocation and cleanup. When you cannot tag at create time, create-tags backfills them, but tag-on-create is safer because there is no untagged window.
What it does
aws ec2 create-tags applies the --tags list to every resource ID in --resources. It is idempotent in effect: setting an existing key overwrites its value. It returns no output on success (exit code 0).
Common usage
aws ec2 create-tags \
--resources i-0123456789abcdef0 vol-0123456789abcdef0 \
--tags Key=Name,Value=ci-runner Key=pipeline,Value="$GITHUB_RUN_ID"Options
| Flag | What it does |
|---|---|
| --resources <id...> | One or more resource IDs to tag (required) |
| --tags Key=..,Value=.. | Tag list to apply (required) |
| --dry-run | Check permissions without tagging |
In CI
Tag instances with the run ID ($GITHUB_RUN_ID, $CI_PIPELINE_ID) so a sweeper job can find and terminate orphans from failed runs with describe-instances --filters Name=tag:pipeline,Values=.... Empty values are allowed; a missing comma is not (Key=x,Value=y, not Key=x Value=y).
Common errors in CI
"An error occurred (InvalidID) when calling the CreateTags operation: The ID 'i-...' is not valid" means a malformed or wrong-region instance ID. "InvalidInstanceID.NotFound" means the instance does not exist in this region. "UnauthorizedOperation" means the role lacks ec2:CreateTags (note IAM can scope CreateTags by the aws:RequestTag condition, so a partly-correct policy can still reject specific keys).