To control permissions of ECS resources within the same Alibaba Cloud region, you can use Operation Orchestration Service (OOS) to bind tags to all the resources.

Background information

You can bind tags to ECS resources and the resources of other Alibaba Cloud services by creating a custom OOS template. For more information, see the "Services that support tags" section in Services that support tags. This topic uses ECS instances as an example to describe how to create a custom OOS template and use the template to bind the owner:zhangsan tag to ECS instances within a single region.

Note The resources to which a tag will be bound at a time must be located within the same region.

Step 1: Create a custom policy and a RAM role

Create a RAM role named OOSServiceRole for OOS and grant permissions to the role.

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. Create a custom policy named OOSAutoBindTag. For more information, see Create a custom policy.
    The policy is configured as follows:
    Note This policy targets ECS instances, and the permissions in the policy are set to ecs:DescribeInstances. You can adapt the permissions to your business needs. For example, if you want to bind tags to multiple security groups, you can replace ecs:DescribeInstances with ecs:DescribeSecurityGroups.
    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:TagResources"
                ],
                "Resource": "*",
                "Effect": "Allow"
            }
        ]
    }
  3. Create the RAM role OOSServiceRole.
  4. Assign the custom policy to the RAM role.
    For more information, see Grant permissions to a RAM role. In this step, the custom policy OOSAutoBindTag is assigned to the RAM role OOSServiceRole.
  5. Assign the system policy AliyunOSSFullAccess to the RAM role OOSServiceRole.
    Add permissions as follows.RAMRoles

Step 2: Bind tags to resources at a time

  1. Log on to the OOS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click My Templates.
  4. Create a custom template.
    1. On the My Templates page, click Create Template.
    2. In the Create Template dialog box, click Empty Templates and then click OK.
    3. On the Create Template page, click YAML to edit the template. Enter OOSAutoBindTag in the Template Name field on the right of the page. After you edit the template, click Create Template.

      Sample codes in this template are as follows:

      FormatVersion: OOS-2019-06-01
      Description: Tag Resources Without The Specified Tags
      Parameters:
        tags:
          Type: Json
          Description:
            en: The tags to select ECS instances.
          AssociationProperty: Tags
        regionId:
          Type: String
          Description:
            en: The region to select ECS instances.
        OOSAssumeRole:
          Description:
            en: The RAM role to be assumed by OOS.
          Type: String
          Default: OOSServiceRole
      RamRole: OOSServiceRole
      Tasks:
        - Name: getInstancesByTags
          Action: 'ACS::ExecuteAPI'
          Description: ''
          Properties:
            Service: ECS
            API: DescribeInstances
            Parameters:
              Tags: '{{ tags }}'
              RegionId: '{{ regionId }}'
          Outputs:
            InstanceIds:
              Type: List
              ValueSelector: 'Instances.Instance[].InstanceId'
        - Name: getAllInstances
          Action: 'ACS::ExecuteAPI'
          Description: ''
          Properties:
            Service: ECS
            API: DescribeInstances
            Parameters:
              RegionId: '{{regionId}}'
          Outputs:
            InstanceIds:
              Type: List
              ValueSelector: 'Instances.Instance[].InstanceId'
        - Name: TagResources_ECS_Instances
          Action: 'ACS::ExecuteAPI'
          Description:
            en: 'tag ecs instances, which are without the specified tags.'
          Properties:
            Service: ECS
            API: TagResources
            Parameters:
              Tags: '{{ tags }}'
              RegionId: '{{regionId}}'
              ResourceType: Instance
              ResourceIds:
                - '{{ACS::TaskLoopItem}}'
          Loop:
            MaxErrors: 100%
            Concurrency: 20
            Items:
              'Fn::Difference':
                - '{{ getAllInstances.InstanceIds }}'
                - '{{ getInstancesByTags.InstanceIds }}'
      Outputs:
        InstanceIds:
          Type: List
          Value:
            'Fn::Difference':
              - '{{ getAllInstances.InstanceIds }}'
              - '{{ getInstancesByTags.InstanceIds }}'

      Parameter descriptions:

      • tags: Select the tags that are bound to ECS instances.
      • regionId: Enter the region ID of the ECS instances to which the selected tags will be bound.
      • OOSAssumeRole: The RAM role that is used by OOS.

      Permissions description:

      • DescribeInstances: filters resources based on source tags.
      • TagResources: creates tags for or bind tags to specified resources.
  5. Execute the custom template.
    1. In the left-side navigation pane, click My Templates. On the My Templates page, find the custom template OOSAutoBindTag that you created. In the Actions column, click Create Execution.
      list1
    2. Keep the default settings or re-select the execution mode, and click Next: Parameters Settings.
    3. Configure the parameters and click Next: OK.

      The following parameters are configured in this example:

      OOS
      • tags: Select the tag owner:zhangsan.
      • reginId: Select the region of the instances, for example, cn-shanghai. For more information, see Regions and zones.
      • oosAssumeRole: Use the RAM role OOSServiceRole.
    4. On the OK page, click Create Execution.
    5. On the execution details page, click the Advanced View tab. On the right of the page, click Execution Result.
    View the execution result, which demonstrates the owner:zhangsan tag is bound to all the ECS instances within the selected region.success

    If Execution Status shows Failed, you can view the information about execution status and execution logs and modify the execution content.