All Products
Search
Document Center

Resource Access Management:Use tags to grant access to ECS instances by group

Last Updated:Aug 30, 2023

This topic describes how to use tags to grant Resource Access Management (RAM) users access to Elastic Compute Service (ECS) instances by group. After authorization, RAM users can view and manage only the tagged resources.

Background Information

In this example, you have 10 ECS instances. You want to authorize the developer team to manage 5 instances and the operator team to manage the other 5 instances. However, you want each team to view only the instances that you authorize each team to manage.

In this case, you can create two RAM user groups that are named developer and operator.

You can create a custom policy named policyForDevTeam and another custom policy named policyForOpsTeam.

You must create the following tags:

  • A tag that is added to five ECS instances. The tag key is team and the tag value is dev.

  • A tag that is added to the other five ECS instances. The tag key is team and the tag value is ops.

Procedure

  1. Log on to the ECS console with your Alibaba Cloud account. In the ECS console, create tags and add the tags to your ECS instances.

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select a region.

    4. On the Instances page, find the instance that you want to manage, move the pointer over the 标签图标 icon in the Tag column, and then click Edit Tags.

    5. In the Edit Tags dialog box, specify a tag key and tag value.

    6. Click Confirm.

    Repeat the preceding steps to add the team:dev tag to five ECS instances and add the team:ops tag to the other five ECS instances.

  2. Log on to the RAM console with your Alibaba Cloud account and create two RAM user groups that are named developer and operator.

    For more information, see Create a user group.

  3. Create RAM users and add each RAM user to a RAM user group.

  4. Create two custom policies that are named policyForDevTeam and policyForOpsTeam. Attach the policyForDevTeam policy to the developer RAM user group. Attach the policyForOpsTeam policy to the operator RAM user group.

    For more information, see Create a custom policy and Grant permissions to a RAM user group.

    Note

    After you attach a policy to a RAM user group, the RAM users in the RAM user group have the permissions that are included in the policy.

    The policyForDevTeam policy is defined by using the following script:

    {
        "Statement": [
        {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/team": "dev"
                }
            }
        },
        {
            "Action": "ecs:DescribeTag*",
            "Effect": "Allow",
            "Resource": "*"
        }
        ],
        "Version": "1"
    }

    The policyForOpsTeam policy is defined by using the following script:

    {
        "Statement": [
        {
            "Action": "ecs:*",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/team": "ops"
                }
            }
        },
        {
            "Action": "ecs:DescribeTag*",
            "Effect": "Allow",
            "Resource": "*"
        }
        ],
        "Version": "1"
    }

    Each policy consists of two parts:

    • The "Action":"ecs:*" part that includes Condition specifies the ECS instances to which the team:dev or team:ops tag is added.

    • The statement that includes "Action": "ecs:DescribeTag*" authorizes RAM users to view all ECS tags. After a RAM user logs on to the ECS console, all existing tags are displayed. The RAM user must select the value of an authorized tag key to view the ECS instances to which the tag is added.

Verify the configuration results

  1. Log on to the ECS console as a RAM user.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select a region.

  4. On the Instances page, click Tags next to the search box.

  5. Move the pointer over a tag key. The list of tag values is displayed. Select a tag value. Then, only the ECS instances to which the tag is added are displayed in the instance list.

    For example, a RAM user in the developer RAM user group can view the list of ECS instances to which the team:dev tag is added. 标签过滤

    Important

    A RAM user can view the ECS instances to which a tag is added only after the RAM user selects the tag. Otherwise, the RAM user cannot view the ECS instances to which the tag is added.

References

You can use the procedure that is described in this topic to grant access to other ECS instances by group. The ECS resources include block storage devices, snapshots, images, security groups, elastic network interfaces (ENIs), dedicated hosts, and SSH key pairs.