ECS dynamically manages resource permissions based on labels

Scene

A company wants to manage resources according to different roles.

Datacenter members: authorize access to all ECS resources with project: datacenter.

Bizcenter members: authorize access to all ECS resources with project: bizcenter.

Resource producer: resource production.

Resource authorization manager: resource authorization: tag the resource. If the resource has permission, add the tag. If the resource does not have permission, delete the tag. No permission modification is required.

Permission design is as follows

Datacenter member

The direct use of sub-accounts is specific to access control.

Sub-accounts used by members of the project can access the resources of datacenter by authorizing the following permissions.

Note: When filtering resources on the ecs console, you need to see resources according to the label project: datacenter. By default, you cannot see resources without filtering labels.

Bizcenter member

Sub-accounts use this permission through fixed roles

Access Control Console - Identity Management - Role - Create Role, named bizcenter-member

Note: When filtering resources on the ecs console, you need to see resources according to the label project: bizcenter. By default, you cannot see resources without filtering labels.

Sub-accounts used by bizcenter members need to use bizcenter resources through role playing bizcenter-member.

Resource producer

If the resource producer is the resource manager, use AliyunECSFullAccess permission.

If the resource produced by the resource producer must have the label project: anyValue, the permissions are as follows.

Resource authorization manager

If the resource authorization manager must label the resource project: anyValue, the permissions are as follows:

How to identify resource label specifications can use label policies to ensure that resources can be correctly labeled.