After you attach tags to your resources, you can use tags to group, categorize, and control access to resources. This topic uses an ECS instance as an example to describe how to attach a policy to a RAM user and allow the user to control access to ECS instances by using tags.
Prerequisites
You have created a RAM user by using an Alibaba Cloud account. For more information, see Create a RAM user.
Background information
Tags are used to identify cloud resources. They help you classify, search for, and aggregate cloud resources with the same characteristics from different dimensions. This simplifies resource management. You can attach multiple tags to each cloud resource.
Alibaba Cloud implements policy-based access control. You can configure RAM policies based on roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.
You can attach tags to ECS resources and resources of other Alibaba Cloud services. By default, all resources within the current region are displayed in the resource list. If you want to control which resources are accessible to RAM users, you can create a custom policy and use tags to implement access control.
Step 1: Use an Alibaba Cloud account to create a policy and attach it to a RAM user
In this step, create a custom policy named UseTagAccessRes and attach the policy to
the RAM user userTest. The UseTagAccessRes policy states that RAM users must specify
the owner: zhangsan
and environment: production
tags before they can access ECS resources.
Step 2: Use an Alibaba Cloud account to attach tags to existing resources
You can attach tags to existing resources to control access to the resources. In this step, use an Alibaba Cloud account to create an ECS instance and attach tags to the instance.
- Log on to the ECS console.
- In the left-side navigation pane, click Tags.
- Click Create/Bind Tags to create the
owner: zhangsan
andenvironment: production
tags and attach the tags to an existing instance. For more information about how to attach a tag to a resource, see Create or bind a tag.
Step 3: Use credentials of a RAM user to access instances that are attached with tags
Log on to the ECS console and access instances with tags by using credentials of the RAM user userTest who is attached with the UseTagAccessRes policy.