This topic describes how to assign a custom policy to a RAM user. This allows the RAM user to bind a specific tag when creating ECS resources. Otherwise, the ECS resources cannot be created. The combination of tags and RAM user allows different RAM users to own different access and operation permissions for cloud resources based on their tags.

Prerequisites

You have created a RAM user by using the Alibaba Cloud account. For more information, see Create a RAM user.

Background information

You can bind tags for the resources of ECS and other Alibaba Cloud services. For more information about the services that support tags, see Services that support tags. By default, you can select whether to bind tags when you create resources. If you want to bind a specific tag when a resource is created, you can create a custom policy. This allows you to control the operations of the RAM user on resources by binding a specific tag to new resources.

Step 1: Create and assign a policy to the RAM user by using the Alibaba Cloud account

To create a resource that is bound to a specific tag, you must create and assign a custom policy to the RAM user. In this step, assign the custom policy BindTagForRes to the RAM user userTest. When the RAM user creates an ECS resource, the user must bind a specific tag to the resource and select a VPC to which a tag is bound. In this example, the tag to which the VPC is bound is user:lisi. The specific tag to which the ECS resource must be bound is owner:zhangsan.

  1. Log on to the RAM console by using the Alibaba Cloud account.
  2. Create the custom policy BindTagForRes. For more information, see Create a custom policy.
    The policy that is used in this step is as follows. You can configure permissions based on your business needs. 
    {
    "Statement": [
        {
           "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "vpc:tag/user": "lisi"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:ListTagResources",
                "ecs:DescribeTags",
                "ecs:DescribeKeyPairs",
                "ecs:DescribeImages",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeLaunchTemplates",
                "ecs:DescribeDedicatedHosts",
                "ecs:DescribeDedicatedHostTypes",
                "ecs:DescribeAutoSnapshotPolicyEx",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:PayOrder",
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
    Permission policy Parameter Description
    Permission to create or access a resource that can be bound to a tag "ecs:tag/owner": "zhangsan"
    • When a resource is created, the resource must be bound to this tag.
    • You can control access to resources that are bound to this tag.
    API permission to query tags
    • ecs:DescribeTagKeys
    • ecs:ListTagResources
    • ecs:DescribeTags
    		 You can query tags in the ECS console.
    API permission to query ECS resources
    • ecs:DescribeKeyPairs
    • ecs:DescribeImages
    • ecs:DescribeSecurityGroups
    • ecs:DescribeLaunchTemplates
    • ecs:DescribeDedicatedHosts
    • ecs:DescribeDedicatedHostTypes
    • ecs:DescribeAutoSnapshotPolicyEx
    		 You can filter resources by tag. This permission is required when you create resources in the ECS console. The resource permission that is set in this step includes key pairs, images, security groups, instances, dedicated hosts, and snapshots.
    API permission to query VPC resources
    • vpc:DescribeVpcs
    • vpc:DescribeVSwitches
    		 You can query existing VPCs and VSwitches.
    API permission to pay for orders bss:PayOrder This operation applies only to subscription resources.
    API permission to disable tag-related operations
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    		 The permission disables APIs that are related to operations of tags. This allows you to avoid losing the permission of creating resources because of modifying tags. You can grant this permission when necessary. Exercise caution when you perform this operation.
    Policy for VPCs to bind tags "vpc:tag/user": "lisi" The policy in this step requires that a VPC must be bound to a tag. You can also specify whether to require a VPC to be bound to a tag.
  3. Assign the custom policy to the RAM user or group to which you want to control access. For more information, see Grant permissions to a RAM role. In this step, the custom policy BindTagForRes is assigned to the RAM user userTest.
    Note Problems may occur when you assign the custom policy BindTagForRes to an existing RAM user that owns multiple permission policies.

Step 2: Create and configure a VPC by using the Alibaba Cloud account

The custom policy in step 1 requires that you select a VPC that is bound to the user:lisi tag when creating an ECS resource. Therefore, you must create a VPC and bind the VPC to a tag. If the VPC is not bound to a specific tag, you cannot create the ECS resource.

Note You cannot bind a tag to the VPC during creation. You must call the TagResources operation to bind a tag to the VPC after it is created.
  1. Create a VPC by using the Alibaba Cloud account. For more informtion, see Create a VPC.
  2. Call the TagResources operation to bind the tag user:lisi to the VPC after it is created.
    You can also bind other tags to the VPC.
  3. After you call the ListTagResources operation, if the returned values contain "TagKey": "user" and "TagValue": "lisi", it indicates that the tag user:lisi is bound to the VPC.

Step 3: Create an ECS resource by using the RAM user

This step takes the creation of an ECS instance as an example. Log on to the ECS console as the RAM user userTest and create an instance that is bound to a tag.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Click Create Instance to create an instance.
    Note You must select the VPC that is bound to the tag user:lisi in step 2, and must bind the specific tag owner:zhangsan to the ECS instance. If you do not bind the specific tag, the creation fails and the message You are not authorized to create ECS instances appears.
    tag

What to do next

You can bind specific tags to existing resources. This allows you to control access to these resources. You can also access resources that are bound to specific tags. For more information, see Control access to resources by using tags.