After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize and control access to the resources. This topic uses ECS instances to demonstrate how to attach a policy to a RAM user and how the user uses tags to control access to the ECS instances.
Prerequisites
A RAM user is created under your Alibaba Cloud account. For more information, see Create a RAM user.
Background information
Tags are used to identify cloud resources. The tags help you categorize, search for, and aggregate cloud resources with the same characteristics from different dimensions. This simplifies resource management. You can add multiple tags to each cloud resource. For more information about cloud resources that support tags and the types of these resources, see Alibaba Cloud services that support tags and Types of resources that support tag API operations.
Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.
By default, all resources within the current region appear in the resource list. To control the resources that are accessible to a RAM user, create a custom policy, attach the policy to the user, and add tags to the resources.
Step 1: Create a custom policy and attach the policy to the RAM user
In this step, create a custom policy named UserTagAccessRes by using an Alibaba Cloud
account and attach the policy to the userTest RAM user. The UserTagAccessRes policy
defines that the RAM user must specify the owner: zhangsan
and environment: production
tags before the user accesses ECS resources.
Step 2: Add tags to ECS instances
In this step, use an Alibaba Cloud account to add tags to ECS instances.
- Log on to the Resource Management console. The Tags page appears.
- In the Region section, select a region.
- Set Tag Type to All Custom Tags.
- Click Create/Bind Tags. In the panel that appears, create the
owner:zhangsan
andenvironment: production
tags and bind them to existing ECS instances. For more information, see Create and bind a tag.
Step 3: Access ECS instances to which specific tags are added
In this step, use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances to which specific tags are added.