You can attach a custom policy to a Resource Access Management (RAM) user. This allows
the RAM user to add specific tags to the Elastic Compute Service (ECS) resources that
the RAM user wants to create. Otherwise, the ECS resources cannot be created. The
combination of tags and RAM users allows different RAM users to have different access
and operation permissions on cloud resources based on tags.
Prerequisites
A RAM user is created in your Alibaba Cloud account. For more information, see Create a RAM user.
Step 1: Create a custom policy and attach the policy to a RAM user
In this step, the BindTagForRes custom policy is attached to the userTest RAM user.
When the RAM user creates an ECS resource, the RAM user must add a specific tag to
the resource and select a virtual private cloud (VPC) to which a specific tag is added.
In this example, the user:lisi
tag is added to the VPC, and the owner:zhangsan
tag is added to the ECS resource.
- Log on to the RAM console by using an Alibaba Cloud account.
- Create the BindTagForRes custom policy. For more information, see Create a custom policy.
Policy document:
{
"Statement": [
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:tag/owner": "zhangsan"
}
}
},
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"vpc:tag/user": "lisi"
}
}
},
{
"Action": [
"ecs:DescribeTagKeys",
"ecs:ListTagResources",
"ecs:DescribeTags",
"ecs:DescribeKeyPairs",
"ecs:DescribeImages",
"ecs:DescribeSecurityGroups",
"ecs:DescribeLaunchTemplates",
"ecs:DescribeDedicatedHosts",
"ecs:DescribeDedicatedHostTypes",
"ecs:DescribeAutoSnapshotPolicyEx",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"bss:PayOrder"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ecs:DeleteTags",
"ecs:UntagResources",
"ecs:CreateTags",
"ecs:TagResources"
],
"Resource": "*"
}
],
"Version": "1"
}
The following table lists the permissions defined in the preceding policy.
Permission |
Parameter |
Create or access a resource to which a specific tag is added |
"ecs:tag/owner": "zhangsan" |
Call the API operations that are used to query tags |
ecs:DescribeTagKeys
ecs:ListTagResources
ecs:DescribeTags
|
Call the API operations that are used to query ECS resources |
ecs:DescribeKeyPairs
ecs:DescribeImages
ecs:DescribeSecurityGroups
ecs:DescribeLaunchTemplates
ecs:DescribeDedicatedHosts
ecs:DescribeDedicatedHostTypes
ecs:DescribeAutoSnapshotPolicyEx
|
Call the API operations that are used to query VPC resources |
vpc:DescribeVpcs
vpc:DescribeVSwitches
|
Call the API operation that is used to pay for orders |
bss:PayOrder |
Not allowed to call the API operations that are used to manage tags |
ecs:DeleteTags
ecs:UntagResources
ecs:CreateTags
ecs:TagResources
|
Add a tag to a VPC |
"vpc:tag/user": "lisi" |
- Attach the BindTagForRes custom policy to the userTest RAM user. For more information,
see Grant permissions to a RAM user.
Step 2: Add a tag to a VPC
The custom policy created in Step 1: Create a custom policy and attach the policy to a RAM user requires that you select a VPC to which the user:lisi
tag is added when you create an ECS resource. Therefore, you must have VPCs to which
the tag is added. If you do not have such VPCs, you cannot create the ECS resource.
- Log on to the Resource Management console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- On the Custom Tags tab, click Create Custom Tags.
- In the Create Custom Tags dialog box, create the
user:lisi
tag. Then, add the tag to an existing VPC.
Step 3: Create an ECS resource and add a specific tag to the ECS resource
Log on to the ECS console by using the userTest RAM user and create an ECS instance
and add a specific tag to the ECS instance.
- Log on to the ECS console by using the RAM user.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the desired region.
- Click Create Instance to create an ECS instance.
Note You must select the VPC to which the
user:lisi
tag is added in
Step 2: Add a tag to a VPC and add the
owner:zhangsan
tag to the ECS instance. If you do not add the owner:zhangsan tag to the instance,
the instance cannot be created, and the
You are not authorized to create ECS instances message appears.

References
You can add specific tags to existing resources so that you can control access to
these resources. You can also access the resources to which specific tags are added.
For more information, see Control access to resources by using tags.