---
isPrivate: true
title: How do I pull my EC2 tags without using the AWS integration?
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Integrations > FAQ Integrations > How do I pull my EC2 tags without
  using the AWS integration?
---

# How do I pull my EC2 tags without using the AWS integration?

To pull custom AWS tags for an EC2 instance through the Datadog Agent without using the AWS integration, follow these steps:

{% tab title="Agent v6 & v7 with IMDS" %}
Datadog recommends gathering instance tags through the EC2 Instance Metadata Service.

This mechanism is available in the Datadog Agent v7.35.0.

1. Ensure that the EC2 instance is configured to allow access to tags in the instance metadata. See the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#allow-access-to-tags-in-IMDS).
1. In the `datadog.yaml` file, set `collect_ec2_tags: true` and `collect_ec2_tags_use_imds: true`.
1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#restart-the-agent).

{% /tab %}

{% tab title="Agent v6 & v7 with EC2 API" %}
If tags are not available through the EC2 Instance Metadata Service, the Datadog Agent uses the EC2 API to gather tags.

1. Make sure an IAM role is assigned to the EC2 **instance**, using the [AWS documentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html). Create one if necessary.
1. Attach a policy to the IAM role that includes the permission `ec2:DescribeTags`.
1. In `datadog.yaml`, set `collect_ec2_tags: true`.
1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/#restart-the-agent).

{% /tab %}

{% tab title="Agent v5" %}

1. Create a IAM role for the **instance** using the [AWS documentation](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html).
1. For the policy section, specify the permissions: `"ec2:Describe*"`, `"ec2:Get*"`.
1. In `datadog.conf`, set **collect\_ec2\_tags: true**.
1. Optional: Add the security-groups tag by enabling `collect_security_groups`.
1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands/?tab=agentv5#restart-the-agent).

{% /tab %}

{% tab title="Docker" %}

1. Make sure an IAM role is assigned to the agent task, using the [AWS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html). Create one if necessary.
1. Attach a policy to the IAM role that includes the permission `ec2:DescribeTags`.
1. Start the Datadog Agent container with the environment variable `DD_COLLECT_EC2_TAGS=true`.

**Note**: For backwards compatibility, the Agent will also try using the EC2 instance role if the ECS task role is unavailable or has insufficient permissions.
{% /tab %}

This option only pulls in custom tags set on the EC2 host under the **Tags** tab in your AWS console:

{% image
   source="https://datadog-docs.imgix.net/images/integrations/faq/ec2_tags.e69e33da68d71a9ab35609d07cf176cb.png?auto=format"
   alt="ec2_tags" /%}

Tags like `availability_zone`, `region`, or `instance_type` are only available by pulling in the EC2 host through the [AWS integration](https://docs.datadoghq.com/integrations/amazon_web_services/?tab=allpermissions).