All Products
Search

This Product

    Elastic Compute Service:Best practices for global tags

    Document Center

    Elastic Compute Service:Best practices for global tags

    Last Updated:Mar 29, 2024

    If your Alibaba Cloud account has Elastic Compute Service (ECS) instances that are used for different purposes or departments, you can configure global tags to filter ECS resources based on your requirements. ECS resources include instances, images, snapshots, disks, elastic network interfaces (ENIs), security groups, and key pairs. This topic describes how to filter instances by using global tags. In the following examples, a Resource Access Management (RAM) user has instances that are used for both the production environment and the test environment, and different RAM users are assigned instances that are created for different departments.

    Limits

    Global tags have the following limits:

    • Only RAM users can use global tags.

    • A RAM user can specify only one global tag.

    • Up to 1,000 cloud resources can be displayed in the filtering results when a global tag is used as the filter condition.

    Scenario 1: Resource grouping

    For example, your Alibaba Cloud account has instances for the production environment and the test environment. The production environment is not frequently changed, and the test environment often requires upgrades or even instance reboots. To prevent accidental operations on instances for the production environment, you can use a global tag to filter instances for the test environment.

    • The instances for the production environment are named Online1, Online2, Online3, and Online4.

    • The instances for the test environment are named TestInstance1 and TestInstance2.

    1. Create a RAM user by using your Alibaba Cloud account. For more information, see Create a RAM user.

    2. Grant permissions to the RAM user by using RAM or resource groups.

      • Method 1: Use RAM

        1. Log on to the RAM console to grant permissions to the RAM user.

          For more information, see Create a RAM user. In this example, the AliyunECSFullAccess permission is granted to the RAM user.

        2. Log on to the ECS console by using the RAM user.

        3. Create the Online1, Online2, Online3, and Online4 instances.

          When you create the instances, add the Environment:Online tag to each instance in the Management section. For more information, see Create an instance.

        4. Create the TestInstance1 and TestInstance2 instances.

          When you create the instances, add the Environment:Test tag to each instance in the Management section.

      • Method 2: Use resource groups

        1. Log on to the ECS console by using your Alibaba Cloud account.

        2. Create the Online1, Online2, Online3, and Online4 instances.

          When you create the instances, add the Environment:Online tag to each instance in the Management section. For more information, see Create an instance.

        3. Create the TestInstance1 and TestInstance2 instances.

          When you create the instances, add the Environment:Test tag to each instance in the Management section.

        4. Create resource groups named Test Group and Online Group.

        5. Add the Online1, Online2, Online3, and Online4 instances to the Online Group resource group. Add the TestInstance1 and TestInstance2 instances to the Test Group resource group.

        6. Add the RAM user to the Test Group and Online Group resource groups, and grant the AliyunECSFullAccess permission to the RAM user.

    3. Log on to the ECS console by using the RAM user.

    4. In the left-side navigation pane, choose Instances & Images > Instances. On the Instance page, click Configure Global Tag in the upper-right corner.

    5. In the Configure Global Tag dialog box, specify a global tag and click OK.

      After the Environment:Test global tag is specified, the TestInstance1 and TestInstance2 instances for the test environment are displayed in the instance list and the instances for the production environment are not displayed in the instance list.

    Scenario 2: Permission grouping

    In enterprise management, you want each department to manage only cloud resources within its functional scope. You can reduce risks and improve management efficiency by granting corresponding management permissions to each department. In this example, the finance department and IT department are used to describe the use of global tags in permission grouping.

    1. Use your Alibaba Cloud account to create instances for the finance department and IT department.

      1. Log on to the ECS console by using your Alibaba Cloud account.

      2. Create instances named Finance1 and Finance2.

        When you create the instances, add the Department:Finance tag to each instance in the Management section. For more information, see Create an instance.

      3. Create instances named IT1 and IT2.

        When you create the instances, add the Department:IT tag to each instance in the Management section. For more information, see Create an instance.

    2. Use your Alibaba Cloud account to create RAM users for the finance department and IT department and grant permissions to the RAM users.

      1. Log on to the RAM console by using your Alibaba Cloud account.

      2. Create RAM User A for the finance department and RAM User B for the IT department. For more information, see Create a RAM user.

      3. Use the following sample code to create a custom policy in the RAM console and attach the custom policy to RAM User A. For more information, see Create custom policies and Grant permissions to a RAM user. 

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeTagKeys",
        "ecs:ListTagResources",
        "ecs:DescribeTags"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:*"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ecs:tag/Department":"Finance"
        }
      }
    },
    {
      "Action": [
        "ecs:Create*",
        "ecs:Run*",
        "ecs:Delete*",
        "ecs:Release*",
        "ecs:Allocate*"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}

      4. Use the following sample code to create a custom policy in the RAM console and attach the policy to RAM User B. 

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:DescribeTagKeys",
        "ecs:ListTagResources",
        "ecs:DescribeTags"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "ecs:*"
      ],
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ecs:tag/Department":"IT"
        }
      }
    },
    {
      "Action": [
        "ecs:Create*",
        "ecs:Run*",
        "ecs:Delete*",
        "ecs:Release*",
        "ecs:Allocate*"
      ],
      "Resource": "*",
      "Effect": "Deny"
    }
  ]
}

    3. Log on to the ECS console by using RAM User B.

    4. In the left-side navigation pane, choose Instances & Images > Instances. On the Instance page, click Configure Global Tag in the upper-right corner.

    5. In the Configure Global Tag dialog box, specify a global tag and click OK.

      After the Department: IT tag is specified, the IT1 and IT2 instances of the IT department are displayed in the instance list of RAM User B. The instances of the finance department are not displayed in the instance list.