You can attach a custom policy to a RAM user. This allows the RAM user to add specific tags to the ECS resources that the RAM user wants to create. Otherwise, the ECS resources cannot be created. The combination of tags and RAM users allows different RAM users to have different access and operation permissions on cloud resources based on tags.

Prerequisites

A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.

Step 1: Create a custom policy and attach the policy to a RAM user

In this step, the BindTagForRes custom policy is attached to the userTest RAM user. When the RAM user creates an ECS resource, the RAM user must add a specific tag to the resource and select a VPC to which a specific tag is added. In this example, the user:lisi tag is added to the VPC, and the owner:zhangsan tag is added to the ECS resource.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the BindTagForRes custom policy. For more information, see Create a custom policy.

    Policy document:

    {
    "Statement": [
        {
           "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "vpc:tag/user": "lisi"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:ListTagResources",
                "ecs:DescribeTags",
                "ecs:DescribeKeyPairs",
                "ecs:DescribeImages",
                "ecs:DescribeSecurityGroups",
                "ecs:DescribeLaunchTemplates",
                "ecs:DescribeDedicatedHosts",
                "ecs:DescribeDedicatedHostTypes",
                "ecs:DescribeAutoSnapshotPolicyEx",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:PayOrder"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

    The following table lists the permissions defined in the preceding policy.

    Permission Parameter
    Create or access a resource to which a specific tag is added "ecs:tag/owner": "zhangsan"
    Call the API operations that are used to query tags
    • ecs:DescribeTagKeys
    • ecs:ListTagResources
    • ecs:DescribeTags
    Call the API operations that are used to query ECS resources
    • ecs:DescribeKeyPairs
    • ecs:DescribeImages
    • ecs:DescribeSecurityGroups
    • ecs:DescribeLaunchTemplates
    • ecs:DescribeDedicatedHosts
    • ecs:DescribeDedicatedHostTypes
    • ecs:DescribeAutoSnapshotPolicyEx
    Call the API operations that are used to query VPC resources
    • vpc:DescribeVpcs
    • vpc:DescribeVSwitches
    Call the API operation that is used to pay for orders bss:PayOrder
    Not allowed to call the API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    Add a tag to a VPC "vpc:tag/user": "lisi"
  3. Attach the BindTagForRes custom policy to the userTest RAM user. For more information, see Grant permissions to a RAM user.

Step 2: Add a tag to a VPC

The custom policy created in Step 1 requires that you select a VPC to which the user:lisi tag is added when you create an ECS resource. Therefore, you must have VPCs to which the tag is added. If you do not have such VPCs, you cannot create the ECS resource.

Note If you do not have a VPC, create one first. For more information, see Create a VPC.
  1. Log on to the Resource Management console. The Tags page appears.
  2. In the Region section, select a region.
  3. Set Tag Type to All Custom Tags.
  4. Click Create/Bind Tags. In the panel that appears, create the user:lisi tag and bind the tag to an existing VPC. For more information, see Create and bind a tag.

Step 3: Create an ECS resource to which a specific tag is added

Log on to the ECS console by using the userTest RAM user and create an ECS instance to which a tag is added.

  1. Log on to the ECS console by using the RAM user.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Click Create Instance in the upper-right corner.
    Note You must select the VPC to which the user:lisi tag is added in Step 2 and add the owner:zhangsan tag to the ECS instance. If you do not add the owner:zhangsan tag to the instance, the instance cannot be created, and the You are not authorized to create ECS instances message appears.
    Add a specific tag

What to do next

Add specific tags to existing resources so that you can control access to these resources. You can also access the resources to which specific tags are added. For more information, see Control access to resources by using tags.