You can attach tags to Elastic Compute Service (ECS) instances and specify authorized tags in custom policies of Resource Access Management (RAM). This lets you use tags to restrict RAM users to view and manage only specific ECS instances.
Background information
The following figure shows the logic for restricting RAM user permissions based on tags, also known as tag-based authentication.
In a custom policy, you can specify authorized tags in the Condition element. Tags support the following condition keys:
acs:RequestTag/<tag-key>: The tag information passed in a request. This means that when a user calls an API operation, the tag must be included in the request parameters.acs:ResourceTag/<tag-key>: The tag information attached to the requested resource. This means that when a user performs an operation on a resource, the resource must have the specified tag.
Procedure
This section provides an example of how to allow a RAM user named Alice to view and manage only the ECS instances to which the tags owner:alice and environment:production are attached. Alice cannot view or manage other ECS instances.
The ECS instances continue to run as normal during this authorization process.
Perform the following steps as an account administrator.
In the RAM console, create a RAM user named Alice.
For more information, see Create a RAM user.
Attach tags to the required ECS instances.
In this example, attach the tags
owner:aliceandenvironment:productionto the ECS instances.You can use one of the following methods to attach tags:
In the Tag console. For more information, see Create a tag and Attach a tag.
In the ECS console. For more information, see Create and attach a tag.
In the RAM console, create a custom policy named UseTagAccessRes.
The following code shows the policy document. For more information, see Create a custom policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": [ "alice" ], "acs:RequestTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" } ] }Policy description:
Policy content
Description
{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": "alice", "acs:RequestTag/environment": "production" } } }Allows filtering of ECS instances by the tags
owner:aliceandenvironment:production.{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }Allows management operations on ECS instances to which the tags
owner:aliceandenvironment:productionare attached.{ "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }Allows viewing information about ECS instances.
{ "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" }Denies deleting, detaching, creating, and attaching tags.
This prevents the RAM user from losing permissions by modifying tags.
In the RAM console, grant the required permissions to the RAM user Alice.
Set Resource Scope to Account, select the RAM user Alice as the Principal, and select the custom policy UseTagAccessRes. For more information, see Grant permissions to a RAM user.
Verify the result
Log on to the ECS console as the RAM user Alice.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
In the navigation pane on the left, choose .
In the upper-left corner of the top menu bar, select a region.
On the Instance page, click Filter by Tag next to the search bar, and select the
owner:aliceandenvironment:productiontags.
ImportantThe RAM user can view the ECS instances with the specified tags only after filtering by those tags. Otherwise, no ECS instances are displayed.
You can now view and manage only the ECS instances to which the
owner:aliceandenvironment:productiontags are attached.
References
For more information about the RAM authentication rules for ECS, see Authorization information.