You can attach a custom policy to a RAM user. This allows the RAM user to bind specific tags to the ECS resources that the RAM user wants to create. Otherwise, the ECS resources cannot be created. The combination of tags and RAM users allows different RAM users to have different access and operation permissions on cloud resources based on tags.

Prerequisites

A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.

Step 1: Create a custom policy and attach the policy to the RAM user

In this step, the BindTagForRes custom policy is attached to the userTest RAM user. When the RAM user creates an ECS resource, the RAM user must bind a specific tag to the resource and select a VPC that is bound with a specific tag. In this example, the user:lisi tag is bound to the VPC, and the owner:zhangsan tag is bound to the ECS resource.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the BindTagForRes custom policy. For more information, see Create a custom policy.

    Policy document:

    {
        "Statement": [
            {
               "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "vpc:tag/user": "lisi"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:ListTagResources",
                    "ecs:DescribeTags",
                    "ecs:DescribeKeyPairs",
                    "ecs:DescribeImages",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeLaunchTemplates",
                    "ecs:DescribeDedicatedHosts",
                    "ecs:DescribeDedicatedHostTypes",
                    "ecs:DescribeAutoSnapshotPolicyEx",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches",
                    "bss:PayOrder"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }

    The following table lists the permissions defined in the preceding policy.

    Permission Parameter
    Create or access a resource that is bound with a specific tag "ecs:tag/owner": "zhangsan"
    Call API operations that are used to query tags
    • ecs:DescribeTagKeys
    • ecs:ListTagResources
    • ecs:DescribeTags
    Call API operations that are used to query ECS resources
    • ecs:DescribeKeyPairs
    • ecs:DescribeImages
    • ecs:DescribeSecurityGroups
    • ecs:DescribeLaunchTemplates
    • ecs:DescribeDedicatedHosts
    • ecs:DescribeDedicatedHostTypes
    • ecs:DescribeAutoSnapshotPolicyEx
    Call API operations that are used to query VPC resources
    • vpc:DescribeVpcs
    • vpc:DescribeVSwitches
    Call the API operation that is used to pay for orders bss:PayOrder
    Not allowed to call API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    Bind a tag to a VPC "vpc:tag/user": "lisi"
  3. Attach the BindTagForRes custom policy to the userTest RAM user. For more information, see Grant permissions to a RAM user.

Step 2: Bind a tag to a VPC

The custom policy created in Step 1 requires that you select a VPC that is bound with the user:lisi tag when you create an ECS resource. Therefore, you must have VPCs that are bound with the tag. If you do not have such VPCs, you cannot create the ECS resource.

Note If you do not have a VPC, create one first. For more information, see Create a VPC.
  1. Log on to the Resource Management console. The Tags page appears.
  2. In the Region section, select the region where the tag resides.
  3. Set Tag Type to All Custom Tags.
  4. Click Create/Bind Tags. In the pane that appears, create the user:lisi tag and bind the tag to an existing VPC. For more information, see Create and bind a tag.

Step 3: Create an ECS resource that is bound with a specific tag

Log on to the ECS console as the userTest RAM user and create an ECS instance that is bound with a tag.

  1. Log on to the ECS console by using the RAM user.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Click Create Instance.
    Note You must select the VPC that is bound with the user:lisi tag in Step 2 and bind the owner:zhangsan tag to the ECS instance. If you do not bind the owner:zhangsan tag, the ECS instance cannot be created, and the You are not authorized to create ECS instances message appears.
    Bind a specific tag

What to do next

You can bind specific tags to existing resources so that you can control access to these resources. You can also access resources bound with specific tags. For more information, see Control access to resources by using tags.