This topic describes how to attach a custom policy to a RAM user. This allows the RAM user to bind specific tags when the RAM user creates ECS resources. Otherwise, the ECS resources cannot be created. The combination of tags and RAM user allows different RAM users to have different access and operation permissions on cloud resources based on their tags.
Prerequisites
A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.
Background information
You can bind tags to the resources of ECS and other Alibaba Cloud services. For more information about the services that support tags, see Services that support tags. By default, you can select whether to bind tags when you create resources. If you want to bind a specific tag when you create a resource, you can create a custom policy. This allows you to control the operations of your RAM users on resources by binding specific tags to the resources.
Step 1: Create a RAM policy by using your Alibaba Cloud account and attach the RAM policy to the RAM user
To create a resource bound with a specific tag, you must create and attach a custom
policy to the RAM user. In this step, the BindTagForRes custom policy is assigned
to the userTest RAM user. When the RAM user creates an ECS resource, the RAM user
must bind a specific tag to the resource and select a VPC bound with a tag. In this
example, the user:lisi
tag is bound to the VPC and the owner:zhangsan
tag must be bound to the ECS resource.
Step 2: Create and configure a VPC by using the Alibaba Cloud account
The custom policy created in Step 1 requires that you select a VPC that is bound with
the user:lisi
tag when you create an ECS resource. Therefore, you must create a VPC and bind the
VPC with a tag. If the VPC is not bound with a specific tag, you cannot create the
ECS resource.
Step 3: Create an ECS resource by using the RAM user
Log on to the ECS console as the userTest RAM user and create an ECS instance bound with a tag.
What to do next
You can bind specific tags to existing resources. This allows you to control access to these resources. You can also access resources bound with specific tags. For more information, see Control access to resources by using tags.