After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize the resources and control access to them. This topic describes how to use tags to control the permissions of Resource Access Management (RAM) users so that different users can be granted different access and operation permissions on cloud resources based on tags.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

Tags can be used to identify, categorize, or classify resources for easy management. RAM allows you to manage user identities and resource access and operation permissions based on policies. You can use tags as conditions in RAM policies to implement fine-grained access control on resources.

The following figure shows how to use tags to manage resource access and operation permissions of RAM users, which is called tag-based authentication.Logic of tag-based authentication

Scenarios

The procedure in this topic describes how to use tag-based authentication. In the example, the scenario that meets the following requirements is used:
  • Resources to which the costcenter:tony tag is not added cannot be created.
  • Operations can be performed only when requests contain the costcenter:tony tag.
  • Resources created by other users that do not have the costcenter:tony tag added cannot be managed.
  • Tag-based authentication supports some API operations that are used to query resources. You can query the instances that have the costcenter:tony tag added.
  • Tags cannot be modified.
Note For more information about tag-based authentication for API requests, see Tag-based authentication of requests to different API operations.

Procedure

In this procedure, a custom policy named UserTagAccessRes is created by using an Alibaba Cloud account and is attached to the RAM user userTest. The UserTagAccessRes policy specifies that RAM users must specify the costcenter:tony tag before they can access and manage ECS resources.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the UserTagAccessRes custom policy. For more information, see Create a custom policy.
    In this example, you can configure multiple tag-based conditions for cloud resources in the Condition element of the custom policy to restrict operation permissions. The following table describes supported tag-based authentication conditions.
    Tag-based authentication condition Description
    acs:RequestTag Indicates that a specific tag must be included in each API request.

    If an API request does not include tag-related parameters, the acs:RequestTag condition cannot be used. Otherwise, authentication fails.

    acs:ResourceTag Indicates that a specific tag must be added to the specified resource.

    If an API request does not include a resource ID, the acs:ResourceTag condition cannot be used. Otherwise, authentication fails. 

    {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:Run*",
                "ecs:Create*",
                "ecs:Purchase*",
                "ecs:DescribeInstances",
                "ecs:List*"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "acs:RequestTag/costcenter": "tony"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "acs:ResourceTag/costcenter": "tony"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:List*",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeInstanceVncUrl",
                "ecs:DescribeInstanceAutoRenewAttribute",
                "ecs:DescribeInstanceRamRole",
                "ecs:DescribeInstanceTypeFamilies",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeInstanceAttachmentAttributes",
                "ecs:DescribeInstancesFullStatus",
                "ecs:DescribeInstanceHistoryEvents",
                "ecs:DescribeInstanceMonitorData",
                "ecs:DescribeInstanceMaintenanceAttributes",
                "ecs:DescribeInstanceModificationPrice",
                "ecs:DescribeA*",
                "ecs:DescribeC*",
                "ecs:DescribeD*",
                "ecs:DescribeE*",
                "ecs:DescribeH*",
                "ecs:DescribeIm*",
                "ecs:DescribeInv*",
                "ecs:DescribeK*",
                "ecs:DescribeL*",
                "ecs:DescribeM*",
                "ecs:DescribeN*",
                "ecs:DescribeP*",
                "ecs:DescribeR*",
                "ecs:DescribeS*",
                "ecs:DescribeT*",
                "ecs:DescribeZ*",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "bss:PayOrder"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:RemoveTags",
                "ecs:UntagResources",
                "ecs:AddTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ]
}
    The preceding policy can provide the following access control:
    • Resources to which the costcenter:tony tag is not added cannot be created.

      Operations can be performed only when requests contain the costcenter:tony tag. 

      {
    "Effect": "Allow",
    "Action": [
        "ecs:Run*",
        "ecs:Create*",
        "ecs:Purchase*"
    ],
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "acs:RequestTag/costcenter": "tony"
        }
    }
}
    • Resources created by other users that do not have the costcenter:tony tag added cannot be managed. 
      {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "acs:ResourceTag/costcenter": "tony"
        }
    }
}
    • Tag-based authentication supports some API operations that are used to query resources. You can query the instances that have the costcenter:tony tag added. 
      {
    "Effect": "Allow",
    "Action": [
    "ecs:DescribeInstances",
        "ecs:List*"
    ],
    "Resource": "*",
    "Condition": {
    "StringEquals": {
    "acs:RequestTag/costcenter": "tony"
        }
    }
},
{
    "Effect": "Allow",
    "Action": [
        "ecs:List*",
        "ecs:DescribeInstanceStatus",
        "ecs:DescribeInstanceVncUrl",
        "ecs:DescribeInstanceAutoRenewAttribute",
        "ecs:DescribeInstanceRamRole",
        "ecs:DescribeInstanceTypeFamilies",
        "ecs:DescribeInstanceTypes",
        "ecs:DescribeInstanceAttachmentAttributes",
        "ecs:DescribeInstancesFullStatus",
        "ecs:DescribeInstanceHistoryEvents",
        "ecs:DescribeInstanceMonitorData",
        "ecs:DescribeInstanceMaintenanceAttributes",
        "ecs:DescribeInstanceModificationPrice",
        "ecs:DescribeA*",
        "ecs:DescribeC*",
        "ecs:DescribeD*",
        "ecs:DescribeE*",
        "ecs:DescribeH*",
        "ecs:DescribeIm*",
        "ecs:DescribeInv*",
        "ecs:DescribeK*",
        "ecs:DescribeL*",
        "ecs:DescribeM*",
        "ecs:DescribeN*",
        "ecs:DescribeP*",
        "ecs:DescribeR*",
        "ecs:DescribeS*",
        "ecs:DescribeT*",
        "ecs:DescribeZ*",
        "vpc:DescribeVpcs",
        "vpc:DescribeVSwitches",
        "bss:PayOrder"
    ],
    "Resource": "*"
}
    • Tags cannot be modified. 
      {
    "Effect": "Deny",
    "Action": [
        "ecs:RemoveTags",
        "ecs:UntagResources",
        "ecs:AddTags",
        "ecs:TagResources"
    ],
    "Resource": "*"
}
  3. Attach the custom policy to the RAM user or group for which you want to control access. For more information, see Grant permissions to a RAM role.
    In this step, attach the UserTagAccessRes policy to the RAM user userTest.
    Note To attach the UserTagAccessRes policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause permission issues.

Result

After the custom policy is attached to the RAM user, the RAM user can access and manage only resources that have the costcenter:tony tag added. The following section describes the results that occur when the RAM user accesses or manages resources:

Create ECS instances

  • ECS instances that have the costcenter:tony tag added can be created.
  • When you create an ECS instance to which the costcenter:tony tag is not added, an error message is displayed as shown in the following figure. Create instances

View ECS instances

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region. No instances are displayed on the Instances page. Instances
  4. After you specify the costcenter:tony tag, you can view the instances that you have permissions to access. View instances

Modify security groups

  • Security groups that have the costcenter:tony tag added can be modified.
  • When you modify a security group to which the costcenter:tony tag is not added, the following error message is displayed. Modify security groups

Modify tags

Tags cannot be modified. When you modify a tag, an error message is displayed as shown in the following figure. Modify tags