Control access to resources by using tags - Tag & Resource| Alibaba Cloud Documentation Center

After you attach tags to your resources, you can use tags to group, categorize, and control access to resources. This topic uses an ECS instance as an example to describe how to attach a policy to a RAM user. This policy allows the user to control access to ECS instances by using tags.

Prerequisites

You have created a RAM user by using an Alibaba Cloud account. For more information, see Create a RAM user.

Background information

You can attach tags to ECS resources and resources of other Alibaba Cloud services. For more information about Alibaba Cloud services that support tags, see Services that support tags. If you want to control which resources are accessible to RAM users, you can create a custom policy and use tags to implement access control.

Step 1: Use an Alibaba Cloud account to create a policy and attach it to a RAM user

In this step, create a custom policy named UseTagAccessRes and attach the policy to the RAM user userTest. The UseTagAccessRes policy states that RAM users must specify the owner: zhangsan tag before they can access ECS resources.

Log on to the RAM console by using an Alibaba Cloud account.

For more information about how to create the custom policy UseTagAccessRes, see Create a custom policy.

The policy used in this step is as follows. You can configure policies based on your business needs.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}


Policy	Policy content	Description
Grants the permission to access resources that are attached with tags	`"ecs:tag/owner": "zhangsan"`	This policy controls access to resources that are attached with the specified tag.
Grants the permission to query tags	`ecs:DescribeTagKeys` `ecs:DescribeTags`	This policy grants the permission to query tags.
Does not grant permissions to call tag-related API operations	`ecs:DeleteTags` `ecs:UntagResources` `ecs:CreateTags` `ecs:TagResources`	This policy must exclude all tag-related API operations from its permissions. This ensures that users will not be deprived of permissions due to tag modifications.

Attach the custom policy to RAM users or user groups whose access you want to control. For more information, see Grant permissions to a RAM role. In this step, attach the UseTagAccessRes policy to the RAM user userTest.

Note To attach the UseTagAccessRes policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause problems.

Step 2: Use an Alibaba Cloud account to attach tags to existing resources

You can attach tags to existing resources to control access to the resources. In this step, use an Alibaba Cloud account to create an ECS instance and attach a tag to the instance.

Note If you have no existing ECS instance, create an instance first. For more information, see ECS instance creation overview.

Log on to the ECS console.
In the left-side navigation pane, click Tags.
Click Create/Bind Tags to create the owner: zhangsan tag and attach the tag to an existing instance. For more information about how to attach a tag to a resource, see Create or bind a tag.

Step 3: Use a RAM user's credentials to access instances that are attached with tags

Log on to the ECS console and access instances with tags by using credentials of the RAM user userTest who is attached with the UseTagAccessRes policy.

Note The ECS resources that can be attached with tags include instances, Block Storage devices, snapshots, images, security groups, ENIs, DDHs, SSH key pairs, and instance launch templates. This step uses an ECS instance as an example.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
Select the specified region. No instance is displayed on the Instances page.
You can specify a tag by using one of the following methods to view resources.
- Filter instances based on the specified tag.
- Set a global tag.