This topic describes how to use tags to grant RAM users access to ECS instances by group. After authorization, RAM users can view and manage only the tagged resources.


  • An Alibaba Cloud account is created. If not, create one before proceeding. To create an Alibaba Cloud account, click account registration page.
  • The RAM service is activated, and you can log on to the RAM console. For more information, see Activate RAM.

Background information

You have 10 ECS instances. You want to authorize the dev team to manage five instances and the ops team to manage the other five. However, you want each team to view only the instances that you authorize the team to manage.


Create two RAM user groups, tag the ECS instances into two groups, and then authorize the two RAM user groups to manage the two ECS instance groups.

  • Tag five ECS instances with a tag key pair. The tag key is team and the tag value is dev.
  • Tag the other five ECS instances with a tag key pair. The tag key is team and the tag value is ops.


  1. Log on to the ECS console. In the left-side navigation pane, Click Instances. On the page that appears, select an instance, and then choose More > Instance Settings > Edit Tag in the Actions column.
  2. Click Create, enter the tag key and tag value, and then click Confirm.
    Note All ECS instances must be tagged.
  3. Log on to the RAM console to create two user groups: dev and ops.

    For more information, see Create a RAM user group.

  4. Create RAM users and add them to the user groups.

    For more information, see Create a RAM user.

  5. Create two custom policies and attach them to the user groups.

    For more information, see Grant permissions to a RAM user group.

    Note After you attach a policy to a user group, the RAM users in this group inherit the relevant permissions.

    In this example, the policy name of the dev user group is policyForDevTeam. The policy content is as follows:

        "Statement": [
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/team": "dev"
            "Action": "ecs:DescribeTag*",
            "Effect": "Allow",
            "Resource": "*"
        "Version": "1"

    The preceding policy consists of two parts:

    • The "Action": "ecs:*" part with Condition is used to filter the instances tagged as "team": "dev".
    • The "Action": "ecs:DescribeTag*" part is used to display all tags. When a RAM user performs operations in the ECS console, the system displays all optional tags. After the RAM user selects the tag key and tag value, the system filters the instances.
    Note You can create a policy named policyForOpsTeam based on the example and attach the policy to the ops user group.

Display the instances that a RAM user is authorize to access

  1. Log on to the ECS console as a RAM user.
    Note After logon, the ECS overview page is displayed by default. No ECS instance is displayed on the page. To view the relevant instances, click Instances.
  2. In the left-side navigation pane, click Instances.
    Note The region displayed in the console must be the region to which the instances belong.
  3. Click Tags next to the search box.
  4. Move the pointer over Tag Key. On the right of the Tag Key drop-down list, the corresponding Tag Value is displayed. Select a Tag Value. The system filters the relevant instances.
    Note The system can filter the relevant resources only after you select a tag value.

What to do next

You can use the procedures described in this topic to grant access to security groups, disks, snapshots, or images by group.

Note Only custom images can be tagged.