update docs for additional tags feature (#830)

SinghVikram97 · vbedi · web-flow · commit 1e54b69688b0 · 2025-10-07T22:59:50.000Z
Co-authored-by: vbedi &lt;vbedi@amazon.com&gt;
diff --git a/config/iam/recommended-inline-policy.json b/config/iam/recommended-inline-policy.json
@@ -20,7 +20,9 @@
                 "tag:GetResources",
                 "firehose:TagDeliveryStream",
                 "s3:GetBucketPolicy",
-                "s3:PutBucketPolicy"
+                "s3:PutBucketPolicy",
+                "tag:TagResources",
+                "tag:UntagResources"
             ],
             "Resource": "*"
         },
diff --git a/docs/guides/additional-tags.md b/docs/guides/additional-tags.md
@@ -4,13 +4,6 @@ The AWS Gateway API Controller automatically applies some tags to resources it c
 
 The `application-networking.k8s.aws/tags` annotation specifies additional tags that will be applied to AWS resources created.
 
-## Supported Resources
-
-- **HTTPRoute** - Tags applied to VPC Lattice Services, Listeners, Rules, Target Groups, and Service Network Service Associations
-- **ServiceExport** - Tags applied to VPC Lattice Target Groups
-- **AccessLogPolicy** - Tags applied to VPC Lattice Access Log Subscriptions
-- **VpcAssociationPolicy** - Tags applied to VPC Lattice Service Network VPC Associations
-
 ## Usage
 
 Add comma separated key=value pairs to the annotation:
@@ -36,3 +29,33 @@ metadata:
 spec:
   # ... rest of spec
 ```
+
+## Required IAM Permissions
+
+For the additional tags functionality to work properly, the IAM role linked to the controller's service account must also include these permissions:
+
+```json
+{
+    "Effect": "Allow",
+    "Action": [
+        "tag:TagResources",
+        "tag:UntagResources"
+    ],
+    "Resource": "*"
+}
+```
+
+### How to Ensure You Have These Permissions
+
+The `config/iam/recommended-inline-policy.json` file contains all the required permissions including these tagging permissions.
+
+- **If you are setting up for the first time**: The recommended inline policy already includes all the required permissions.
+- **If you used the setup steps in the [deploy guide](https://www.gateway-api-controller.eks.aws.dev/latest/guides/deploy/#setup)**: You need to update the existing `VPCLatticeControllerIAMPolicy` to include the updated permissions.
+
+
+## Supported Resources
+
+- **HTTPRoute** - Tags applied to VPC Lattice Services, Listeners, Rules, Target Groups, and Service Network Service Associations
+- **ServiceExport** - Tags applied to VPC Lattice Target Groups
+- **AccessLogPolicy** - Tags applied to VPC Lattice Access Log Subscriptions
+- **VpcAssociationPolicy** - Tags applied to VPC Lattice Service Network VPC Associations
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -24,6 +24,7 @@ nav:
     - TLS Passthrough: guides/tls-passthrough.md
     - Pod Readiness Gates: guides/pod-readiness-gates.md
     - Configuration: guides/environment.md
+    - Additional Tags: guides/additional-tags.md
   - API Specification: api-reference.md
   - API Reference:
     - AccessLogPolicy: api-types/access-log-policy.md
