You can attach a custom policy to a RAM user. This allows the RAM user to add specific
tags to the ECS resources that the RAM user wants to create. Otherwise, the ECS resources
cannot be created. The combination of tags and RAM users allows different RAM users
to have different access and operation permissions on cloud resources based on tags.
Prerequisites
A RAM user is created under your Alibaba Cloud account. For more information, see
Create a RAM user.
Step 1: Create a custom policy and attach the policy to a RAM user
In this step, the BindTagForRes custom policy is attached to the userTest RAM user.
When the RAM user creates an ECS resource, the RAM user must add a specific tag to
the resource and select a VPC to which a specific tag is added. In this example, the
user:lisi
tag is added to the VPC, and the owner:zhangsan
tag is added to the ECS resource.
- Log on to the RAM console by using an Alibaba Cloud account.
- Create the BindTagForRes custom policy. For more information, see Create a custom policy.
Policy document:
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:tag/owner": "zhangsan"
}
}
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:tag/user": "lisi"
}
}
},
{
"Action": [
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeTags",
"ecs:DescribeKeyPairs",
"ecs:DescribeImages",
"ecs:DescribeSecurityGroups",
"ecs:DescribeLaunchTemplates",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDedicatedHostTypes",
"ecs:DescribeAutoSnapshotPolicyEx",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"bss:PayOrder"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteTags",
"ecs:UntagResources",
"ecs:CreateTags",
"ecs:TagResources"
],
"Resource": "*"
}
],
"Version": "1"
}
The following table lists the permissions defined in the preceding policy.
Permission |
Parameter |
Create or access a resource to which a specific tag is added |
"ecs:tag/owner": "zhangsan" |
Call the API operations that are used to query tags |
ecs:DescribeTagKeys
ecs:ListTagResources
ecs:DescribeTags
|
Call the API operations that are used to query ECS resources |
ecs:DescribeKeyPairs
ecs:DescribeImages
ecs:DescribeSecurityGroups
ecs:DescribeLaunchTemplates
ecs:DescribeDedicatedHosts
ecs:DescribeDedicatedHostTypes
ecs:DescribeAutoSnapshotPolicyEx
|
Call the API operations that are used to query VPC resources |
vpc:DescribeVpcs
vpc:DescribeVSwitches
|
Call the API operation that is used to pay for orders |
bss:PayOrder |
Not allowed to call the API operations that are used to manage tags |
ecs:DeleteTags
ecs:UntagResources
ecs:CreateTags
ecs:TagResources
|
Add a tag to a VPC |
"vpc:tag/user": "lisi" |
- Attach the BindTagForRes custom policy to the userTest RAM user. For more information,
see Grant permissions to a RAM user.
Step 2: Add a tag to a VPC
The custom policy created in Step 1 requires that you select a VPC to which the user:lisi
tag is added when you create an ECS resource. Therefore, you must have VPCs to which
the tag is added. If you do not have such VPCs, you cannot create the ECS resource.
Note If you do not have a VPC, create one first. For more information, see
Create a VPC.
- Log on to the Resource Management console. The Tags page appears.
- In the Region section, select a region.
- Set Tag Type to All Custom Tags.
- Click Create/Bind Tags. In the panel that appears, create the
user:lisi
tag and bind the tag to an existing VPC. For more information, see Create and bind a tag.
Step 3: Create an ECS resource to which a specific tag is added
Log on to the ECS console by using the userTest RAM user and create an ECS instance
to which a tag is added.
- Log on to the ECS console by using the RAM user.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- Click Create Instance in the upper-right corner.
Note You must select the VPC to which the user:lisi
tag is added in Step 2 and add the owner:zhangsan
tag to the ECS instance. If you do not add the owner:zhangsan tag to the instance,
the instance cannot be created, and the You are not authorized to create ECS instances message appears.

What to do next
Add specific tags to existing resources so that you can control access to these resources.
You can also access the resources to which specific tags are added. For more information,
see Control access to resources by using tags.