After you add tags to your cloud resources, you can use the tags to categorize the resources and control access to them. This topic describes how to use tags to control the permissions of Resource Access Management (RAM) users so that different users can be granted different access and operation permissions on cloud resources based on tags. That allows you to implement fine-grained access control and makes resource management more efficient.
The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.
Configuration example
Log on to the RAM console by using your Alibaba Cloud account.
Create a custom policy. For more information, see Create custom policies.
You can configure multiple tag-based conditions for cloud resources in the
Condition
element of the custom policy to control permissions. The following table describes supported tag-based authentication conditions.Tag-based authentication condition
Description
acs:RequestTag
Indicates that a specific tag must be included in each API request.
ImportantIf an API request does not include tag-related parameters, the
acs:RequestTag
condition cannot be used, and authentication fails.acs:ResourceTag
Indicates that a specific tag must be added to the specified resource.
ImportantIf an API request does not include a resource ID, the
acs:ResourceTag
condition cannot be used, and authentication fails.Attach the custom policy to the RAM user or RAM user group for which you want to control access. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM user group.
NoteIf you attach the custom policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause permission issues.