> For the complete documentation index, see [llms.txt](https://hawkins.gitbook.io/consoleme/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hawkins.gitbook.io/consoleme/configuration/role-credential-authorization/role-tagging-recommended.md).

# Role Tags

We highly recommend establishing a set of role tags that will help ConsoleMe determine which users are authorized to get credentials and/or console access. These would be defined in your configuration YAML files ([examples](https://github.com/Netflix/consoleme/tree/master/example_config)) under the `cloud_credential_authorization_mapping` key.

Here's an example configuration:

```
cloud_credential_authorization_mapping:
  role_tags:
    enabled: true
    authorized_groups_tags:
      - consoleme-authorized
    authorized_groups_cli_only_tags:
      - consoleme-owner-dl
      - consoleme-authorized-cli-only
```

Once this is set up, you'd define the list of users / groups that are authorized to access the role in your role tags. If multiple users or groups need access to a role, you must delimit them by a colon (:). Commas, unfortunately, are not valid characters in tag values.

Here's a role's tag set using the above configuration. This tag set would allow a group or user named `consoleme_admins` and one named `consoleme_users` to get access to this role by both the **CLI** and via ConsoleMe's **web interface.** The users `usera@example.com` and `userb@example.com` would have access to this role's credentials via the CLI only.

![](/files/5iUfILDCpryioaNl8TTA)

Make sure that ConsoleMe and your administrative users are the only ones able to manipulate these tags. We recommend using an [SCP](/consoleme/configuration/role-credential-authorization/role-tagging-recommended/role-tagging-service-control-policy-recommended.md) to restrict it.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://hawkins.gitbook.io/consoleme/configuration/role-credential-authorization/role-tagging-recommended.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
