After you attach tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize and control access to the resources. This topic uses ECS instances to demonstrate how to attach a policy to a RAM user and allow the user to control access to the ECS instances by using tags.

Prerequisites

A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. The tags help you categorize, search for, and aggregate cloud resources with the same characteristics from different dimensions. This simplifies resource management. You can bind multiple tags to each cloud resource. For more information about cloud resources that support tags and the types of these resources, see Alibaba Cloud services that support tags and Types of resources that support tag API operations.

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.

By default, all resources within the current region appear in the resource list. If you want to control the resources that are accessible to RAM users, you can create a custom policy and use tags for this purpose.

Step 1: Create a custom policy and attach the policy to the RAM user

In this step, create a custom policy named UserTagAccessRes by using an Alibaba Cloud account and attach the policy to the userTest RAM user. The UserTagAccessRes policy defines that RAM users must specify the owner: zhangsan and environment: production tags before they can access ECS resources.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. For more information about how to create the UserTagAccessRes custom policy, see Create a custom policy.
    The following code shows how to configure multiple tags for cloud resources in a policy:
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan",
                        "ecs:tag/environment": "production"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:DescribeTags"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
    Permission Parameter Description
    Access resources that are bound with specific tags
    • "ecs:tag/owner": "zhangsan"
    • "ecs:tag/environment": "production"
    You can control access to resources that are bound with these tags.
    Call API operations that are used to query tags
    • ecs:DescribeTagKeys
    • ecs:DescribeTags
    You can query tags in the ECS console.
    Not allowed to call API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    The policy excludes all tag-related API operations from its permissions. This ensures that users still have permissions regardless of tag modifications.
  3. Attach the custom policy to the userTest RAM user. For more information, see Grant permissions to a RAM user.

Step 2: Bind tags to ECS instances

In this step, use an Alibaba Cloud account to bind tags to ECS instances.

Note If you do not have ECS instances, create an instance first. For more information, see Creation method overview.
  1. Log on to the Resource Management console. The Tags page appears.
  2. In the Region section, select a region.
  3. Set Tag Type to All Custom Tags.
  4. Click Create/Bind Tags. In the pane that appears, create the owner:zhangsan and environment: production tags and bind them to existing ECS instances. For more information, see Create and bind a tag.

Step 3: Access ECS instances that are bound with specific tags

In this step, use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances that are bound with specific tags.

  1. Log on to the ECS console by using the RAM user.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region. No instances appear on the Instances page.
    Instances page
  4. Specify tags to view resources.
    Filter 1