This topic describes how to use tags to authorize ECS instances, security groups, disks, snapshots, and images by group.


I have multiple ECS instances. If I want different users to see and manage only some of the instances, what should I do?


Suppose you have 10 ECS instances, and you want the dev team to manage 5 of them and the ops team to manage the other 5. You want each team to see only the authorized instances.

Authorize the ECS instances by group

You can implement this function with RAM. Perform the following operations:

  1. Tag the ECS instances by group.

    For example, tag five of them with the key as team and the value as dev. Tag the other five with the key as team and the value as ops.

    To tag an instance, perform the following operations:
    1. In the ECS console, select an instance and choose More > Instance Settings > Edit Tag from the drop-down menu.
    2. Enter the key and value. For example, set the key to team and the value to dev.
  2. Create two user groups, for example, named dev and ops. Create users for your employees and add the users to different user groups.
  3. Create two custom policies and attach them to different user groups.
    In this example, for the dev user group, the policy content is as follows:
        "Statement": [
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/team": "dev"
            "Action": "ecs:DescribeTag*",
            "Effect": "Allow",
            "Resource": "*"
        "Version": "1"
    Note If your custom tags are different from the ones in the preceding example, the description of the tag conditions in the example must be replaced accordingly.

    In the preceding policy, the "Action": "ecs:*" part with "Condition" is used to filter the instances tagged as "team": "dev", and "Action": "ecs:DescribeTag*" is used to display all tags. When a user performs operations in the ECS console, the system displays all the tags for the user to select, and then filters the instances according to the tag key and value selected by the user.

Display authorized instances

  1. Log on to the ECS console as a user of the dev user group.
    • The users in the dev user group inherit the permissions of this group.
    • After a user logs on to the ECS console, the system navigates to the ECS overview page by default. In this case, the number of the ECS instances displayed on the page is 0.
  2. Go to the instances page and check whether the region displayed in the console is the region where the instances are actually located. If no, select the expected region from the list of regions at the upper part of the console.
  3. On the instances page, click Tags. The Tag Key drop-down list is displayed. Move the pointer over Tag Key. The Tag Value list is displayed. Select a value, and the system then filters the corresponding instances.
    Note The system can filter the corresponding instances only after you select a value.

Use tags to authorize the security groups, disks, snapshots, and images by group

Follow the preceding method to tag and authorize the security groups, disks, snapshots, and images by group.

Note Only custom images can be tagged.