Use tags to control access to ECS resources - Tag| Alibaba Cloud Documentation Center

After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize and control access to the resources. This topic uses ECS instances to demonstrate how to attach a policy to a RAM user and how the user uses tags to control access to the ECS instances.

Prerequisites

A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. The tags help you categorize, search for, and aggregate cloud resources with the same characteristics from different dimensions. This simplifies resource management. You can add multiple tags to each cloud resource. For more information about cloud resources that support tags and the types of these resources, see Alibaba Cloud services that support tags and Types of resources that support tag API operations.

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.

By default, all resources within the current region appear in the resource list. To control the resources that are accessible to a RAM user, create a custom policy, attach the policy to the user, and add tags to the resources.

Step 1: Create a custom policy and attach the policy to the RAM user

In this step, create a custom policy named UserTagAccessRes by using an Alibaba Cloud account and attach the policy to the userTest RAM user. The UserTagAccessRes policy defines that the RAM user must specify the owner: zhangsan and environment: production tags before the user accesses ECS resources.

Log on to the RAM console by using an Alibaba Cloud account.

For more information about how to create the UserTagAccessRes custom policy, see Create a custom policy.

The following code shows how to configure multiple tags for cloud resources in a policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan",
                    "ecs:tag/environment": "production"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}


Permission	Parameter	Description
Access resources to which specific tags are added	`"ecs:tag/owner": "zhangsan"` `"ecs:tag/environment": "production"`	You can control access to resources to which the specific tags are added.
Call the API operations that are used to query tags	`ecs:DescribeTagKeys` `ecs:DescribeTags`	You can query tags in the ECS console.
Not allowed to call the API operations that are used to manage tags	`ecs:DeleteTags` `ecs:UntagResources` `ecs:CreateTags` `ecs:TagResources`	The policy excludes all tag-related API operations from its permissions. This ensures that users still have permissions regardless of tag modifications.

Attach the custom policy to the userTest RAM user. For more information, see Grant permissions to a RAM user.

Step 2: Add tags to ECS instances

In this step, use an Alibaba Cloud account to add tags to ECS instances.

Note If you do not have ECS instances, create an instance first. For more information, see Creation method overview.

Log on to the Resource Management console. The Tags page appears.
In the Region section, select a region.
Set Tag Type to All Custom Tags.
Click Create/Bind Tags. In the panel that appears, create the owner:zhangsan and environment: production tags and bind them to existing ECS instances. For more information, see Create and bind a tag.

Step 3: Access ECS instances to which specific tags are added

In this step, use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances to which specific tags are added.

Log on to the ECS console by using the RAM user.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select a region. No instances appear on the Instances page.
Specify tags to view resources.