You can attach a custom policy to a Resource Access Management (RAM) user. This allows the RAM user to add specific tags to the Elastic Compute Service (ECS) resources that the RAM user wants to create. Otherwise, the ECS resources cannot be created. The combination of tags and RAM users allows different RAM users to have different access and operation permissions on cloud resources based on tags.

Prerequisites

A RAM user is created in your Alibaba Cloud account. For more information, see Create a RAM user.

Step 1: Create a custom policy and attach the policy to a RAM user

In this step, the BindTagForRes custom policy is attached to the userTest RAM user. When the RAM user creates an ECS resource, the RAM user must add a specific tag to the resource and select a virtual private cloud (VPC) to which a specific tag is added. In this example, the user:lisi tag is added to the VPC, and the owner:zhangsan tag is added to the ECS resource.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the BindTagForRes custom policy. For more information, see Create a custom policy.

    Policy document:

    {
        "Statement": [
            {
               "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "ecs:tag/owner": "zhangsan"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "ecs:*",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "vpc:tag/user": "lisi"
                    }
                }
            },
            {
                "Action": [
                    "ecs:DescribeTagKeys",
                    "ecs:ListTagResources",
                    "ecs:DescribeTags",
                    "ecs:DescribeKeyPairs",
                    "ecs:DescribeImages",
                    "ecs:DescribeSecurityGroups",
                    "ecs:DescribeLaunchTemplates",
                    "ecs:DescribeDedicatedHosts",
                    "ecs:DescribeDedicatedHostTypes",
                    "ecs:DescribeAutoSnapshotPolicyEx",
                    "vpc:DescribeVpcs",
                    "vpc:DescribeVSwitches",
                    "bss:PayOrder"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": [
                    "ecs:DeleteTags",
                    "ecs:UntagResources",
                    "ecs:CreateTags",
                    "ecs:TagResources"
                ],
                "Resource": "*"
            }
        ],
        "Version": "1"
    }

    The following table lists the permissions defined in the preceding policy.

    PermissionParameter
    Create or access a resource to which a specific tag is added"ecs:tag/owner": "zhangsan"
    Call the API operations that are used to query tags
    • ecs:DescribeTagKeys
    • ecs:ListTagResources
    • ecs:DescribeTags
    Call the API operations that are used to query ECS resources
    • ecs:DescribeKeyPairs
    • ecs:DescribeImages
    • ecs:DescribeSecurityGroups
    • ecs:DescribeLaunchTemplates
    • ecs:DescribeDedicatedHosts
    • ecs:DescribeDedicatedHostTypes
    • ecs:DescribeAutoSnapshotPolicyEx
    Call the API operations that are used to query VPC resources
    • vpc:DescribeVpcs
    • vpc:DescribeVSwitches
    Call the API operation that is used to pay for ordersbss:PayOrder
    Not allowed to call the API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    Add a tag to a VPC"vpc:tag/user": "lisi"
  3. Attach the BindTagForRes custom policy to the userTest RAM user. For more information, see Grant permissions to the RAM user.

Step 2: Add a tag to a VPC

The custom policy created in Step 1: Create a custom policy and attach the policy to a RAM user requires that you select a VPC to which the user:lisi tag is added when you create an ECS resource. Therefore, you must have VPCs to which the tag is added. If you do not have such VPCs, you cannot create the ECS resource.

Important If you do not have a VPC, create one first. For more information, see Create and manage a VPC.
  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Tag > Tag.
  3. In the top navigation bar, select a region.
  4. On the Custom Tags tab, click Create Custom Tags.
  5. In the Create Custom Tags dialog box, create the user:lisi tag. Then, add the tag to an existing VPC.
    For more information, see Add a custom tag.

Step 3: Create an ECS resource and add a specific tag to the ECS resource

Log on to the ECS console by using the userTest RAM user and create an ECS instance and add a specific tag to the ECS instance.

  1. Log on to the ECS console by using the RAM user.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the desired region.
  4. Click Create Instance to create an ECS instance.
    Important You must select the VPC to which the user:lisi tag is added in Step 2: Add a tag to a VPC and add the owner:zhangsan tag to the ECS instance. If you do not add the owner:zhangsan tag to the instance, the instance cannot be created, and the You are not authorized to create ECS instances message appears.
    Add a specific tag

References

You can add specific tags to existing resources so that you can control access to these resources. You can also access the resources to which specific tags are added. For more information, see Control access to resources by using tags.