edit-icon download-icon

How to use tags to authorize ECS instances by group

Last Updated: Apr 16, 2018

Suppose you have 10 ECS instances. You want to authorize 5 of them to the dev team and another 5 to the ops team. You want each team to see only authorized instances.

Authorize ECS instances by group

To authorize ECS instances by group, perform these steps:

  1. Tag ECS instances by group. For example, tag 5 of them with the key as team and the value as dev; tag another 5 with the key as team and the value as ops.

    Tag one instance as follows:

    1. In the ECS console, choose an instance and click the corresponding drop-down menu More on the Instances sub-page.

    2. Select Edit Tag from the drop-down menu.

    3. In the Edit Tag dialog box, click Create and then set key and value. Here, we set key to team and value to dev.

  2. Create two user groups, such as dev and ops. Then create corresponding user accounts for your employees and add different user accounts to different user groups.

  3. Create two custom authorization policies and assign them to different user groups.

For example, the name of the custom authorization policy assigned to the dev group is policyForDevTeam. The policy content is as follows:

  1. {
  2. "Statement": [
  3. {
  4. "Action": "ecs:*",
  5. "Effect": "Allow",
  6. "Resource": "*",
  7. "Condition": {
  8. "StringEquals": {
  9. "ecs:tag/team": "dev"
  10. }
  11. }
  12. },
  13. {
  14. "Action": "ecs:DescribeTag*",
  15. "Effect": "Allow",
  16. "Resource": "*"
  17. }
  18. ],
  19. "Version": "1"
  20. }

Note: If your custom tag is different from the one in the preceding example, replace the description of the tag conditions in the example accordingly.

Display authorized instances

  1. If no instance is displayed after you log on to the ECS console, click Tag in the Instances sub-page.

  2. Select the specified Tag Key to display authorized instances.

Thank you! We've received your feedback.