You can create custom policies that provide tag information and attach the policies to Resource Access Management (RAM) users to grant different access and operation permissions on cloud resources based on tags. This topic describes how to attach a custom policy that contains a specific tag to a RAM user to restrict Elastic Compute Service (ECS) resources from being created by the RAM user if they do not have the tag added.
Prerequisites
A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.
Background information
Tags can be added to resources of ECS and other Alibaba Cloud services. For more information about the services that support tagging, see Services that support tags. By default, you can optionally add tags to resources when you create the resources. If you want to ensure that new resources have a specific tag added, you can create a custom policy that contains the tag. Then, you can attach this policy to a RAM user to control what operations the RAM user can perform on resources that have this tag added.
Step 1: Create a RAM policy by using your Alibaba Cloud account and attach the policy to a RAM user
To ensure that resources created by a RAM user have a specific tag added, create a
custom policy that contains the tag and attach the policy to the RAM user. In this
step, the BindTagForRes custom policy is created and attached to the userTest RAM
user. Based on the policy, when the RAM user creates an ECS resource, the RAM user
must add a specific tag to the resource and select a virtual private cloud (VPC) that
has a specific tag added. In this example, the VPC must have the user:lisi
tag added, and the owner:zhangsan
tag must be added to the ECS resource.
Step 2: Create and configure a VPC by using the Alibaba Cloud account
Based on the custom policy created in Step 1, when you create an ECS resource, you
must select a VPC that has the user:lisi
tag added. Create a VPC and add the tag to the VPC before you create an ECS resource.
If a VPC does not have the user:lisi tag added, you cannot create the ECS resource
in the VPC.
Step 3: Create an ECS resource by using the RAM user
Log on to the ECS console as the userTest RAM user and create an ECS instance that has the specific tag added.
What to do next
You can add specific tags to control access to existing resources, or access resources that have specific tags added. For more information, see Control access to resources by using tags.