You can use an Operation Orchestration Service (OOS) custom template to bind tags to multiple resources in the same region at a time. Then, you can control permissions on these resources based on the tags.

Background information

You can bind tags to the resources of Elastic Compute Service (ECS) and other Alibaba Cloud services. For more information about the services that support tags, see Alibaba Cloud services that support tags.

In this topic, a custom template is created in OOS to bind the owner:zhangsan tag to ECS instances in the same region.

Note The resources to which a tag will be bound must reside in the same region.

Step 1: Create a RAM role and attach permission policies to it

Create a RAM role named OOSServiceRole for OOS and attach permission policies to the role.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a custom policy named OOSAutoBindTag. For more information, see Create a custom policy.
    Note This policy is used for ECS instances, and the permission in the policy is set to ecs:DescribeInstances. You can set the permission based on your business needs. For example, if you want to bind tags to multiple security groups, you can replace ecs:DescribeInstances with ecs:DescribeSecurityGroups.

    The following policy is created:

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ecs:DescribeInstances",
                "ecs:TagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
  3. Create the OOSServiceRole RAM role.
    For more information, see Create a normal service role.
  4. Attach the custom policy to the RAM role.
    For more information, see Grant permissions to a RAM role.
  5. Attach the AliyunOSSFullAccess system policy to the OOSServiceRole RAM role.
    For more information, see Grant permissions to a RAM role.

Step 2: Bind tags to multiple resources at a time

  1. Log on to the OOS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click My Templates.
  4. Create a custom template.
    1. On the My Templates page, click Create Template.
    2. In the Create Template dialog box, click the Empty Templates tab, select Empty Templates, and then click OK.
    3. On the Create Template page, click the YAML tab and edit the template. In the Basic Information section, enter OOSAutoBindTag in the Template Name field. After you edit the template, click Create Template.

      Sample code:

      FormatVersion: OOS-2019-06-01
Description: Tag Resources Without The Specified Tags
Parameters:
  tags:
    Type: Json
    Description:
      en: The tags to select ECS instances.
    AssociationProperty: Tags
  regionId:
    Type: String
    Description:
      en: The region to select ECS instances.
  OOSAssumeRole:
    Description:
      en: The RAM role to be assumed by OOS.
    Type: String
    Default: OOSServiceRole
RamRole: OOSServiceRole
Tasks:
  - Name: getInstancesByTags
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{ regionId }}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: getAllInstances
    Action: 'ACS::ExecuteAPI'
    Description: ''
    Properties:
      Service: ECS
      API: DescribeInstances
      Parameters:
        RegionId: '{{regionId}}'
    Outputs:
      InstanceIds:
        Type: List
        ValueSelector: 'Instances.Instance[].InstanceId'
  - Name: TagResources_ECS_Instances
    Action: 'ACS::ExecuteAPI'
    Description:
      en: 'tag ecs instances, which are without the specified tags.'
    Properties:
      Service: ECS
      API: TagResources
      Parameters:
        Tags: '{{ tags }}'
        RegionId: '{{regionId}}'
        ResourceType: Instance
        ResourceIds:
          - '{{ACS::TaskLoopItem}}'
    Loop:
      MaxErrors: 100%
      Concurrency: 20
      Items:
        'Fn::Difference':
          - '{{ getAllInstances.InstanceIds }}'
          - '{{ getInstancesByTags.InstanceIds }}'
Outputs:
  InstanceIds:
    Type: List
    Value:
      'Fn::Difference':
        - '{{ getAllInstances.InstanceIds }}'
        - '{{ getInstancesByTags.InstanceIds }}'

      Parameters:

      • tags: the tags that are bound to ECS instances.
      • regionId: the region ID of the ECS instances to which the selected tags are bound.
      • OOSAssumeRole: the RAM role used by OOS.

      Permissions:

      • DescribeInstances: filters resources based on tags.
      • TagResources: creates tags and binds them to specified resources.
  5. Execute the custom template.
    1. In the left-side navigation pane, click My Templates. On the My Templates page, find the OOSAutoBindTag custom template that you created, and click Create Execution in the Actions column.
      1
    2. Use the default settings or select another execution mode, and click Next: Parameter Settings.
    3. In the Parameter Settings step, configure parameters and click Next: OK.
      1

      The following parameters are configured in this example:

      • tags: Select the tag owner:zhangsan.
      • regionId: Select the region of the instances, such as cn-shanghai.
      • oosAssumeRole: Use the OOSServiceRole RAM role.
    4. Click Create.
    5. On the execution details page, click the Advanced View tab.
    6. Click the Execution Result tab on the right side of the page.
    7. View the execution result.
      • If the execution succeeds, information shown in the following figure appears.1
      • If the execution fails, you can check logs for the failure cause and make adjustments accordingly.