You can add tags, such as environment-specific tags, application tags, or resource type tags, to Elastic Compute Service (ECS) resources for fine-grained management. If you want to filter ECS instances to which specific tags are added to run Cloud Assistant commands or upload files by using Cloud Assistant, attach the policies in which the tags are specified to Resource Access Management (RAM) users. This way, the RAM users can use Cloud Assistant to run commands on or upload files to the ECS instances to which the tags are added and manage access to the instances. This topic describes how to use tags to manage the usage of Cloud Assistant commands.
Prerequisites
A RAM user is created. For information about how to create a RAM user, see Create a RAM user.
A Cloud Assistant command is created. For information about how to create a Cloud Assistant command, see Create a command.
Working mechanism
You can specify tags as match conditions in policies to use tags in combination with RAM users to manage ECS resources in a fine-grained manner.
Each tag consists of a key and a value. You can use tags to label ECS instances and categorize and manage resources. For information about tags, see Overview.
RAM allows you to manage user identities, resource access, and operation permissions on resources based on policies. You can define custom policies based on regions, ECS instances, operations that you want to perform, and Cloud Assistant commands. You can attach custom policies to RAM users to manage the permissions of the RAM users to use Cloud Assistant commands. For more information, see Overview of RAM users and Policy overview.
The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.
Sample scenarios
This section describes how to implement tag-based authentication to manage Cloud Assistant commands in the following scenarios:
RAM users can run commands only on ECS instances to which specific tags are added. Example tag: test:tony.
RAM users can send files only to ECS instances to which specific tags are added. Example tag: test:tony.
RAM users can query tags, ECS instances, and Cloud Assistant commands and the execution results of the commands.
Procedure
In this example, an Alibaba Cloud account is used to create a custom policy named UseTagAccessResources and attach the custom policy to a RAM user. The UseTagAccessResources custom policy allows the RAM user to use Cloud Assistant to run commands on or send files to the ECS instances to which the test:tony tag is added.
Create an ECS instance to which a specific tag is added.
In this example, an ECS instance to which the
test:tonytag is added is created. For more information, see Create a resource with a specific tag.Log on to the RAM console with an Alibaba Cloud account.
Create the
UseTagAccessResourcescustom policy.For more information, see Create custom policies.
You can configure multiple tag-based authentication conditions in the Condition element of the custom policy to limit permissions on ECS resources. The following table describes the supported tag-based authentication conditions.
Tag-based authentication condition
Description
acs:RequestTagSpecified that specific tag-related parameters must be included in each API request.
If an API request does not include tag-related parameters, the
acs:RequestTagcondition cannot be used and authentication fails.acs:ResourceTagSpecifies that a specific tag must be added to a resource.
If an API request does not include a resource ID, the
acs:ResourceTagcondition cannot be used and authentication fails.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } }, { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:command/*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeTag*", "ecs:DescribeInstance*", "ecs:DescribeCommands", "ecs:CreateCommand", "ecs:DeleteCommand", "ecs:ModifyCommand", "ecs:DescribeInvocationResults", "ecs:DescribeSendFileResults", "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus", "ecs:DescribeInvocations", "ecs:DescribeResourceByTags", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:ListTagResources", "ecs:DescribeManagedInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oos:ListSecretParameters", "Resource": "*" } ] }The preceding policy grants the following permissions to RAM users:
Run Cloud Assistant commands on or send files to ECS instances to which the
test:tonytag is added. Sample policies:{ "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:instance/*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "tony" } } }, { "Effect": "Allow", "Action": [ "ecs:InvokeCommand", "ecs:RunCommand", "ecs:StopInvocation", "ecs:SendFile" ], "Resource": "acs:ecs:*:*:command/*" }Query resources such as tags, ECS instances, and Cloud Assistant commands. Sample policies:
{ "Effect": "Allow", "Action": [ "ecs:DescribeTag*", "ecs:DescribeInstance*", "ecs:DescribeCommands", "ecs:CreateCommand", "ecs:DeleteCommand", "ecs:ModifyCommand", "ecs:DescribeInvocationResults", "ecs:DescribeSendFileResults", "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus", "ecs:DescribeInvocations", "ecs:DescribeResourceByTags", "ecs:DescribeTagKeys", "ecs:DescribeTags", "ecs:ListTagResources", "ecs:DescribeManagedInstances" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oos:ListSecretParameters", "Resource": "*" }
Attach the
UseTagAccessResourcescustom policy to a RAM user for which you want to manage access.For more information, see Grant permissions to a RAM role.
Check whether the custom policy takes effect.
Log on to the ECS console and perform the following operations on ECS instances.
NoteWhen the system runs Cloud Assistant commands on or sends files to ECS instances, the system can query the specific tag, the ECS instances to which the tag is added, and the Cloud Assistant commands with which the specific tag is associated at the same time.
Run a Cloud Assistant command on ECS instances to which the test:tony tag is added and ECS instances to which other tags are added.
On the My Commands tab of the ECS Cloud Assistant page, find a Cloud Assistant command and click Run in the Actions column to run the command on ECS instances to which the test:tony tag is added and ECS instances to which other tags are added. In this example, the command whose ID is
c-hz02jt1ncrf****is used. For more information, see Run a command.NoteIf no Cloud Assistant commands exist on the My Commands tab, create a Cloud Assistant command and perform the preceding step. For more information, see Create a command.
Send files to ECS instances to which the test:tony tag is added and ECS instances to which other tags are added.
In the upper-right corner of the ECS Cloud Assistant page, click Send File to send a file to ECS instances to which the test:tony tag is added and ECS instances to which other tags are added. For more information, see Upload on-premises files to ECS instances.
If the execution results of the command task or file sending task match the execution results described in the Execution results section of this topic, the custom policy takes effect. If the execution results of the command task or file sending task do not match the execution results described in the Execution results section, the custom policy does not take effect. To troubleshoot the issue, see the FAQ section of this topic.
Execution results
The following section describes the execution results of the task that runs the Cloud Assistant command on ECS instances when the custom policy is in effect:
After the command is run on ECS instances to which the
test:tonytag is added, Successful is displayed in the Status column corresponding to the command task.
After the command is run on ECS instances to which the
test:tonytag is not added, an error message appears indicating that the command failed to run.
The following section describes the execution results of the task that sends a file to ECS instances when the custom policy is in effect:
After the file is sent to ECS instances to which the
test:tonytag is added, Successful is displayed in the Status column corresponding to the file sending task.
After the file is sent to ECS instances to which the
test:tonytag is not added, a message appears indicating that the file failed to be sent.
FAQ
What do I do when a custom policy does not take effect?
If a custom policy that you attached to a RAM user does not take effect, check whether the Effect element is set to Allow for the following parameters in the Action element of other policies that are attached to the RAM user. If the Effect element is set to Allow for the following parameters in the Action element of other policies that are attached to the RAM user, detach the policies from the RAM user.
ecs:InvokeCommand
ecs:RunCommand
ecs:StopInvocation
ecs:SendFile
For example, if the following custom policy is attached to the RAM user, detach the policy from the RAM user:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:InvokeCommand",
"ecs:RunCommand",
"ecs:StopInvocation",
"ecs:SendFile"
],
"Resource": "*"
}
]
}References
You can attach specific policies to a RAM user to allow the RAM user to manage access to ECS instances by using tags. For more information, see Control access to resources by using tags.
You can add the same tag to multiple ECS instances and use the smart tag synchronization feature of CloudMonitor to assign the instances to the same application group for group-based automatic monitoring. The monitoring metrics include the health status, CPU utilization, and memory usage of ECS instances. For more information, see Implement automatic resource monitoring by group based on tags.
If you no longer use a tag for managing and retrieving resources, you can remove the tag from the resources. For more information, see Remove or delete a tag.