Create a resource with a specific tag

Step 1: Create a RAM policy by using your Alibaba Cloud account and attach the RAM policy to the RAM user

To create a resource bound with a specific tag, you must create and attach a custom policy to the RAM user. In this step, the BindTagForRes custom policy is assigned to the userTest RAM user. When the RAM user creates an ECS resource, the RAM user must bind a specific tag to the resource and select a VPC bound with a tag. In this example, the user:lisi tag is bound to the VPC and the owner:zhangsan tag must be bound to the ECS resource.

1. Log on to the RAM console by using an Alibaba Cloud account.
2. Create the BindTagForRes custom policy. For more information, see Create a custom policy.
   The following policy is used in this step. You can configure permissions based on your business needs.

   {
       "Statement": [
           {
              "Effect": "Allow",
               "Action": "ecs:*",
               "Resource": "*",
               "Condition": {
                   "StringEquals": {
                       "ecs:tag/owner": "zhangsan"
                   }
               }
           },
           {
               "Effect": "Allow",
               "Action": "ecs:*",
               "Resource": "*",
               "Condition": {
                   "StringEquals": {
                       "vpc:tag/user": "lisi"
                   }
               }
           },
           {
               "Action": [
                   "ecs:DescribeTagKeys",
                   "ecs:ListTagResources",
                   "ecs:DescribeTags",
                   "ecs:DescribeKeyPairs",
                   "ecs:DescribeImages",
                   "ecs:DescribeSecurityGroups",
                   "ecs:DescribeLaunchTemplates",
                   "ecs:DescribeDedicatedHosts",
                   "ecs:DescribeDedicatedHostTypes",
                   "ecs:DescribeAutoSnapshotPolicyEx",
                   "vpc:DescribeVpcs",
                   "vpc:DescribeVSwitches",
                   "bss:PayOrder"
               ],
               "Effect": "Allow",
               "Resource": "*"
           },
           {
               "Effect": "Deny",
               "Action": [
                   "ecs:DeleteTags",
                   "ecs:UntagResources",
                   "ecs:CreateTags",
                   "ecs:TagResources"
               ],
               "Resource": "*"
           }
       ],
       "Version": "1"
   }

   Permission policy	Parameter	Description
   Permission to create or access a resource bound with a tag	"ecs:tag/owner": "zhangsan"	When a resource is created, the resource must be bound with this tag. You can control access to resources bound with this tag.
   API permission to query tags	ecs:DescribeTagKeys ecs:ListTagResources ecs:DescribeTags	You can query tags in the ECS console.
   API permission to query ECS resources	ecs:DescribeKeyPairs ecs:DescribeImages ecs:DescribeSecurityGroups ecs:DescribeLaunchTemplates ecs:DescribeDedicatedHosts ecs:DescribeDedicatedHostTypes ecs:DescribeAutoSnapshotPolicyEx	You can filter resources by tag. This permission is required when you create resources in the ECS console. The resources include key pairs, images, security groups, instances, dedicated hosts, and snapshots.
   API permission to query VPC resources	vpc:DescribeVpcs vpc:DescribeVSwitches	You can query existing VPCs and VSwitches.
   API permission to pay for orders	bss:PayOrder	This operation applies only to subscription resources.
   API permission to disable tag-related operations	ecs:DeleteTags ecs:UntagResources ecs:CreateTags ecs:TagResources	This permission disables tag-related API operations and avoids loss of control permissions on resources caused by modifications on tags. You can grant this permission when necessary. Exercise caution when you perform this operation.
   Policy for VPCs to bind tags	"vpc:tag/user": "lisi"	The policy requires that a VPC must be bound with a tag. You can also specify whether to require a VPC to be bound with a tag.

3. Attach the custom policy to the RAM user or group to which you want to control access. For more information, see Grant permissions to a RAM role. In this step, the BindTagForRes custom policy is attached to the userTest RAM user.
   Note Problems may occur if you attach the BindTagForRes custom policy to an existing RAM user that is attached with multiple permission policies.

Step 2: Create and configure a VPC by using the Alibaba Cloud account

The custom policy created in Step 1 requires that you select a VPC that is bound with the user:lisi tag when you create an ECS resource. Therefore, you must create a VPC and bind the VPC with a tag. If the VPC is not bound with a specific tag, you cannot create the ECS resource.

1. Create a VPC by using the Alibaba Cloud account. For more information, see Create a VPC network.
2. Call the TagResources operation to bind the user:lisi tag to the VPC.
   You can also bind other tags to the VPC.
3. Call the ListTagResources operation to query the VPC created in this step. If the response contains "TagKey": "user" and "TagValue": "lisi", the VPC is bound with the user:lisi tag.

Step 3: Create an ECS resource by using the RAM user

Log on to the ECS console as the userTest RAM user and create an ECS instance bound with a tag.

1. Log on to the ECS console.
2. In the left-side navigation pane, choose Instances & Images > Instances.
3. In the top navigation bar, select a region.
4. Click Create Instance to create an instance.
   Note You must select the VPC bound with the user:lisi tag in Step 2 and bind the owner:zhangsan tag to the ECS instance. If you do not bind the owner:zhangsan tag, the ECS instance cannot be created, and the You are not authorized to create ECS instances message is displayed.

   

What to do next

You can bind specific tags to existing resources. This allows you to control access to these resources. You can also access resources bound with specific tags. For more information, see Control access to resources by using tags.