All Products
Search

This Product

    Elastic Compute Service:Use tags to control the permissions of a RAM user

    Document Center

    Elastic Compute Service:Use tags to control the permissions of a RAM user

    Last Updated:Mar 29, 2024

    After you add tags to your cloud resources, you can use the tags to categorize the resources and control access to them. This topic describes how to use tags to control the permissions of Resource Access Management (RAM) users so that different users can be granted different access and operation permissions on cloud resources based on tags. That allows you to implement fine-grained access control and makes resource management more efficient.

    The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.

    image

    Configuration example

    1. Log on to the RAM console by using your Alibaba Cloud account.

    2. Create a custom policy. For more information, see Create custom policies.

      You can configure multiple tag-based conditions for cloud resources in the Condition element of the custom policy to control permissions. The following table describes supported tag-based authentication conditions.

      Tag-based authentication condition

      Description

      acs:RequestTag

      Indicates that a specific tag must be included in each API request.

      Important

      If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used, and authentication fails.

      acs:ResourceTag

      Indicates that a specific tag must be added to the specified resource.

      Important

      If an API request does not include a resource ID, the acs:ResourceTag condition cannot be used, and authentication fails.

      Policy example

      The policy example in this section can provide the following access control:

      • ECS resources can be created only when the costcenter:tony tag is added to the resources during the creation.

      • All operations are allowed only when the costcenter:tony tag is added to resources.

      • Certain information about an instance can be queried only when the costcenter:tony tag is added to the instance.

      • Tags cannot be modified, added, or deleted. 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:Run*",
                "ecs:Create*",
                "ecs:Purchase*",
                "ecs:DescribeInstances",
                "ecs:List*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/costcenter": "tony"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/costcenter": "tony"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:List*",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeInstanceVncUrl",
                "ecs:DescribeInstanceAutoRenewAttribute",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeInstanceTypeFamilies",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeInstanceAttachmentAttributes",
                "ecs:DescribeInstancesFullStatus",
                "ecs:DescribeInstanceHistoryEvents",
                "ecs:DescribeInstanceMonitorData",
                "ecs:DescribeInstanceMaintenanceAttributes",
                "ecs:DescribeInstanceModificationPrice",
                "ecs:DescribeA*",
                "ecs:DescribeC*",
                "ecs:DescribeD*",
                "ecs:DescribeE*",
                "ecs:DescribeH*",
                "ecs:DescribeIm*",
                "ecs:DescribeInv*",
                "ecs:DescribeK*",
                "ecs:DescribeL*",
                "ecs:DescribeM*",
                "ecs:DescribeN*",
                "ecs:DescribeP*",
                "ecs:DescribeR*",
                "ecs:DescribeS*",
                "ecs:DescribeT*",
                "ecs:DescribeZ*",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:PayOrder"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:RemoveTags",
                "ecs:UntagResources",
                "ecs:AddTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ]
}

    3. Attach the custom policy to the RAM user or RAM user group for which you want to control access. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM user group.

      Note

      If you attach the custom policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause permission issues.