You can create custom policies that provide tag information and attach the policies to Resource Access Management (RAM) users to grant different access and operation permissions on cloud resources based on tags. This topic describes how to attach a custom policy that contains a specific tag to a RAM user to restrict Elastic Compute Service (ECS) resources from being created by the RAM user if they do not have the tag added.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags can be added to resources of ECS and other Alibaba Cloud services. For more information about the services that support tagging, see Services that support tags. By default, you can optionally add tags to resources when you create the resources. If you want to ensure that new resources have a specific tag added, you can create a custom policy that contains the tag. Then, you can attach this policy to a RAM user to control what operations the RAM user can perform on resources that have this tag added.

Step 1: Create a RAM policy by using your Alibaba Cloud account and attach the policy to a RAM user

To ensure that resources created by a RAM user have a specific tag added, create a custom policy that contains the tag and attach the policy to the RAM user. In this step, the BindTagForRes custom policy is created and attached to the userTest RAM user. Based on the policy, when the RAM user creates an ECS resource, the RAM user must add a specific tag to the resource and select a virtual private cloud (VPC) that has a specific tag added. In this example, the VPC must have the user:lisi tag added, and the owner:zhangsan tag must be added to the ECS resource.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the BindTagForRes custom policy. For more information, see Create a custom policy.
    The following policy is used in this step. You can configure permissions in the policy based on your business needs.
    {
        "Statement": [
            {
               "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "vpc:tag/user": "lisi"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:ListTagResources",
                    "ecs:DescribeTags",
                    "ecs:DescribeKeyPairs",
                    "ecs:DescribeImages",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeLaunchTemplates",
                    "ecs:DescribeDedicatedHosts",
                    "ecs:DescribeDedicatedHostTypes",
                    "ecs:DescribeAutoSnapshotPolicyEx",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches",
                    "bss:PayOrder"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:RemoveTags",
                    "ecs:UntagResources",
                    "ecs:AddTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }
    Permissions granted or denied Parameter Description
    Permissions are granted to create or access resources that has a specific tag added. "ecs:tag/owner": "zhangsan"
    • The policy statement requires that the specific tag is added when resources are created.
    • The policy statement controls access to resources that have the specific tag added.
    Permissions are granted to call API operations that are used to query tags.
    • ecs:DescribeTagKeys
    • ecs:ListTagResources
    • ecs:DescribeTags
    The policy statement allows the RAM user to query tags in the ECS console.
    Permissions are granted to call the API operations that are used to query ECS resources.
    • ecs:DescribeKeyPairs
    • ecs:DescribeImages
    • ecs:DescribeSecurityGroups
    • ecs:DescribeLaunchTemplates
    • ecs:DescribeDedicatedHosts
    • ecs:DescribeDedicatedHostTypes
    • ecs:DescribeAutoSnapshotPolicyEx
    The policy statement allows the RAM user to filter resources by tag. These permissions are required to create resources in the ECS console. Permissions on key pairs, images, security groups, instances, dedicated hosts, and snapshots are configured in this step.
    Permissions are granted to call the API operations that are used to query VPC resources.
    • vpc:DescribeVpcs
    • vpc:DescribeVSwitches
    The policy statement allows the RAM user to query existing VPCs and vSwitches.
    Permissions are granted to call the API operation that is used to pay for orders. bss:PayOrder This operation applies only to subscription resources.
    Permissions are denied to call the API operations that are used to manage tags.
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    The policy statement disallows the RAM user to call tag-related API operations to prevent loss of control on resources caused by tag modifications. You can grant these permissions based on your business needs. Exercise caution when you perform this operation.
    Permissions are granted to select a VPC that has a specific tag added. "vpc:tag/user": "lisi" The policy statement specifies that the VPC used to create resources must have a specific tag added. You can optionally configure the statement to remove this constraint on VPCs.
  3. Attach the custom policy to the RAM user or group for which you want to control access. For more information, see Grant permissions to a RAM role. In this step, the BindTagForRes custom policy is attached to the userTest RAM user.
    Note Issues may occur if you attach the BindTagForRes policy to an existing RAM user that already has multiple policies.

Step 2: Create and configure a VPC by using the Alibaba Cloud account

Based on the custom policy created in Step 1, when you create an ECS resource, you must select a VPC that has the user:lisi tag added. Create a VPC and add the tag to the VPC before you create an ECS resource. If a VPC does not have the user:lisi tag added, you cannot create the ECS resource in the VPC.

Note You cannot add a tag to a VPC while the VPC is being created. You can only call the TagResources operation to add a tag to the VPC after the VPC is created.
  1. Create a VPC by using the Alibaba Cloud account. For more information, see Create and manage a VPC.
  2. Call the TagResources operation to add the user:lisi tag to the VPC.
    You can also add other tags to the VPC.
  3. Call the ListTagResources operation to query the VPC created in this step. If the response contains "TagKey": "user" and "TagValue": "lisi", the user:lisi tag is added to the VPC.

Step 3: Create an ECS resource by using the RAM user

Log on to the ECS console as the userTest RAM user and create an ECS instance that has the specific tag added.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. Click Create Instance to create an instance.
    Note You must select the VPC to which the user:lisi tag is added in Step 2 and add the owner:zhangsan tag to the ECS instance. If you do not add the owner:zhangsan tag, the ECS instance cannot be created and the You are not authorized to create ECS instances message is displayed.
    Add the specific tag

What to do next

You can add specific tags to control access to existing resources, or access resources that have specific tags added. For more information, see Control access to resources by using tags.