After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize the resources and control access to them. This topic describes how to attach a policy to a RAM user so that the user can use tags to control access to ECS instances.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. You can use tags to categorize, search for, and aggregate cloud resources that have the same characteristics. This simplifies resource management. You can add multiple tags to each cloud resource.

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups. If you want to control which resources are accessible to RAM users, you can create custom policies that contain tags to implement access control on resources.

You can add tags to ECS resources and resources of other Alibaba Cloud services. By default, all resources within the current region are displayed in the resource list. If you want to control which resources are accessible to RAM users, you can create custom policies that contain tags to implement access control on resources.

Step 1: Create a RAM policy by using your Alibaba Cloud account and attach the policy to a RAM user

This section describes how to use an Alibaba Cloud account to create a custom policy that contains specific tags and attach this policy to a RAM user. In the example, the UseTagAccessRes custom policy, the userTest RAM user, and the owner: zhangsan and environment: production tags are used.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the UserTagAccessRes custom policy. For more information, see Create a custom policy.
    The following code shows how to configure multiple tags for cloud resources in a policy:
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan",
                        "ecs:tag/environment": "production"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:DescribeTags"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
    Policy Policy content Description
    Grants the permissions to access resources to which specific tags are added
    • "ecs:tag/owner": "zhangsan"
    • "ecs:tag/environment": "production"
    This policy allows you to control access to resources to which the specific tags are added.
    Grants the permissions to query tags
    • ecs:DescribeTagKeys
    • ecs:DescribeTags
    This policy allows you to query tags in the ECS console.
    Does not grant permissions to call the API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    The policy excludes all tag-related API operations from its permissions. This ensures that users will not be deprived of permissions due to tag modifications.
  3. Attach the custom policy to the RAM user or group for which you want to control access. For information about, see Grant permissions to a RAM role. In this step, attach the UserTagAccessRes policy to the RAM user userTest.
    Note To attach the UserTagAccessRes policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause permission issues.

Step 2: Add tags to existing resources by using your Alibaba Cloud account

You can attach tags to existing resources to control access to the resources. This section describes how to use an Alibaba Cloud account to create an ECS instance and add a tag to the instance.

Note If you have no existing instances, create an instance first. For information about, see Creation method overview.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Tags.
  3. On the Tags page, click Create Custom Tags. In the Create Custom Tags dialog box, create the owner: zhangsan and environment: production tags and add them to existing ECS instances. For more information about how to add a tag to a resource, see Create or bind a tag.

Step 3: Access instances to which tags are added by using the RAM user

Use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances to which tags are added.

Note The following ECS resources can have tags added: instances, Elastic Block Storage (EBS) devices, snapshots, images, security groups, Elastic network interfaces (ENIs), dedicated hosts, SSH key pairs, and launch templates. In this example, ECS instances are used.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region. No instances are displayed on the Instances page.
    Instances
  4. Specify tags to view resources.
    Filter 1