AWS IAM Tagging, not tagging as expected using Lambda and Python

Question

I created this script to apply tags if certain conditions are met but it will not apply the tags if I just reference them, it will apply the tags if I type them in manually. This portion of the code works if it's manually typed in:

tag_user(user['UserName'], 'key', 'value')

Yes, I understand why it works, but if that works, why wouldn't this work as well?

tag_user(user['UserName'], testtag['Key'], testtag['Value']) 

Is that not the same thing? I've tried numerous methods as you can see in the tag_user section but none of them work except the first one, which is not convenient. I want to be able to reference "testtag" which is a list of key and value. I don't even think I need the tag_user function at the start since the boto3.client('iam') includes it, I would just reference iam.tag_user(), but again I can't get that to work. I'm not sure what I'm doing wrong here, any help would be much appreciated. Thank you.

import boto3   

iam = boto3.resource('iam')
iam_client = boto3.client('iam')
response = iam_client.list_users()


def tag_user(user, key, value):
    client = boto3.client('iam')
    try:
        response = client.tag_user(
            UserName=user,
            Tags=[
                {
                    'Key': key,
                    'Value': value
                },
            ]
        )
    except:
            response = 'We got an error'
        
    return response

def lambda_handler(event,context):

return_value = {} #creates empty dictionary#
everything_dict = {} #dictionary of instances, which contains a dictionary of categories 
                     #(missing tag key, missing tag values, incorrect tag keys, etc), which contains a list with the details
return_value['missingtagkeys'] = [] #within return values dictionary, create a missing tag key list#
return_value['missingtagvalues'] = [] #within return values dictionart, creates a missing tag values key list#
return_value['incorrecttagkeys'] = [] #within return values dictionary, create a incorrect tag key list#
return_value['incorrecttagvalues'] = [] #within return values dictionary, create a incorrect tag value list#
return_value['unknowntagvalues'] = [] #within return values dictionary, create a unknown tag value list#


testtag = [{
"Key": 'test',
"Value": 'testvalue'        
}]

for user in response['Users']:
    tags = iam_client.list_user_tags(UserName = user['UserName'])
    tags = {x['Key']: x['Value'] for x in tags["Tags"]}
    print(tags)
   
    # iam user properties
    ids = user['UserName']
    username = user['UserName']
    iam_user_id = user['UserId']
    iam_user_arn = user['Arn']
   
    try:
        # if instance_ids not in everything_dict:            
        if username not in everything_dict:
            # ids = user['UserName']
            everything_dict[username] = {
                'tags' : [],
                'missingtagkeys' : [],
                'missingtagvalues' : [],
                'incorrecttagkeys' : [],
                'incorrecttagvalues' : [],
                'unknowntagvalues' : [],
            }
        everything_dict[username]['tags'].append(tags)
    except:
        pass
    
    try:

        if tags['contact'] in ['me', 'you']:
            print(username + " (" + user['UserId'] + ")" + " has an approved contact tag value of " + tags['contact'] + ".")                
            tagissue = (username + " (" + user['UserId'] + ")" + " (" + user['Arn'] + ")" + " has an approved contact tag value of " + tags['contact'] + ".")
            
            tag_user(user['UserName'], 'key', 'value') # hard coded tag key and values, works 
            tag_user(user['UserName'], str(testtag['Key']), str(testtag['Value'])) # does not work, why not?
            tag_user(user['UserName'], testtag.get('Key'), testtag.get('Value')) # does not work, why not?  
            tag_user([user['UserName']], testtag) # does not work, why not?

            iam.tag_user(username, Tags=testtag) # does not work, why not?

            # Store values
            return_value['incorrecttagvalues'].append(tagissue)
            everything_dict[username]['incorrecttagvalues'].append(tagissue)
        
   
    except:
        pass            

return everything_dict  

Answer 1

Your " testtag " is actually a list of tag key-value pairs, so you need to iterate through this list.

1. Renaming testtag to test_tags , with example of second kv pair:

test_tags = [
    {
        "Key": 'test',
        "Value": 'testvalue'
    },
    {
        "Key": 'test2',
        "Value": 'testvalue2'
    },
]

2a. Utilizing the custom function in the Lambda Function body:

for test_tag in test_tags:
    tag_user(user['UserName'], test_tag['Key'], test_tag['Value'])

2b. Alternatively, as you guessed at, you could just call IAM.Client.tag_user directly and remove the extra custom function.

This works because you already have a Sequence of TagTypeDef to pass into the Tags= keyword argument.

iam_client.tag_user(UserName=user['UserName'], Tags=test_tags)