After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to group, categorize, and control access to the resources. This topic describes how to attach a policy to a RAM user so that the user can use tags to control access to ECS instances.

Prerequisites

A RAM user is created by using an Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. You can use tags to categorize, search for, and aggregate cloud resources that have the same characteristics from different dimensions. This simplifies resource management. You can add multiple tags to each cloud resource.

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups. If you want to control which resources are accessible to RAM users, you can create custom policies that contain tags to implement access control on resources.

You can add tags to ECS resources and resources of other Alibaba Cloud services. By default, all resources within the current region are displayed in the resource list. If you want to control which resources are accessible to RAM users, you can create custom policies that contain tags to implement access control on resources.

Step 1: Use an Alibaba Cloud account to create a policy and attach it to a RAM user

This section describes how to use an Alibaba Cloud account to create a custom policy that contains specific tags and attach this policy to a RAM user. In the example, the UseTagAccessRes custom policy, the userTest RAM user, and the owner: zhangsan and environment: production tags are used.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the UserTagAccessRes custom policy. For more information, see Create a custom policy.
    The following code shows how to configure multiple tags for cloud resources in a policy:
    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan",
                        "ecs:tag/environment": "production"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:DescribeTags"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
    Policy Policy content Description
    Grants the permissions to access resources to which specific tags are added
    • "ecs:tag/owner": "zhangsan"
    • "ecs:tag/environment": "production"
    This policy allows you to control access to resources to which the specific tags are added.
    Grants the permissions to query tags
    • ecs:DescribeTagKeys
    • ecs:DescribeTags
    This policy allows you to query tags in the ECS console.
    Does not grant the permissions to call the API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    The policy excludes all tag-related API operations from its permissions. This ensures that users will not be deprived of permissions due to tag modifications.
  3. Attach the custom policy to RAM users or user groups whose access you want to control. For more information, see Grant permissions to a RAM role. In this step, attach the UserTagAccessRes policy to the userTest RAM user.
    Note To attach the UserTagAccessRes policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause problems.

Step 2: Use the Alibaba Cloud account to add tags to existing resources

You can add tags to existing resources to control access to the resources. This section describes how to use an Alibaba Cloud account to create an ECS instance and add a tag to the instance.

Note If you have no existing ECS instances, create an instance first. For more information, see Creation method overview.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, click Tags.
  3. On the Tags page, click Create/Bind Tags. In the Create/Bind Tags panel, create the owner: zhangsan and environment: production tags and bind them to existing ECS instances. For more information about how to add a tag to a resource, see Create or bind a tag.

Step 3: Use the RAM user to access instances to which tags are added

Use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances to which tags are added.

Note ECS resources that can have tags added include instances, Elastic Block Storage (EBS) devices, snapshots, images, security groups, Elastic network interfaces (ENIs), dedicated hosts, SSH key pairs, and launch templates. In the example, ECS instances are used.
  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region. No instances are displayed on the Instances page.
    Instances page
  4. Specify tags to view instances.
    Filter 1