After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize the resources and control access to them. This topic describes how to use tags to control the access of a RAM user to ECS instances.
Prerequisites
A RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.
Background information
Tags are used to identify cloud resources. The tags help you categorize, search for, and aggregate cloud resources that have the same characteristics from different dimensions. This simplifies resource management. You can add multiple tags to each cloud resource. For more information about the cloud services and resources that support tags, see Services that work with Tag.
Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.
By default, all resources within the current region are displayed in the resource list. To control the resources that are accessible to a RAM user, create a custom policy in which specific tags are specified, attach the policy to the RAM user, and add the tags to the resources.
Step 1: Create a custom policy and attach the policy to a RAM user
Create a custom policy named UserTagAccessRes by using an Alibaba Cloud account and attach the policy to the userTest RAM user. The UserTagAccessRes policy defines that you must specify the owner:zhangsan and environment:production tags when you use the RAM user to access ECS resources.
Log on to the RAM console with your Alibaba Cloud account.
Create a custom policy named UserTagAccessRes.
For more information, see Create a custom policy.
The following code provides the document of the policy. You can configure multiple tags for cloud resources in a policy.
{ "Statement": [ { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": "zhangsan", "acs:RequestTag/environment": "production" } } }, { "Action": [ "ecs:DescribeTagKeys", "ecs:DescribeTags" ], "Effect": "Allow", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" } ], "Version": "1" }Permission
Configuration
Description
Access resources to which specific tags are added
"acs:RequestTag/owner": "zhangsan""acs:RequestTag/environment": "production"
You can control access to resources to which the specific tags are added.
Call the API operations that are used to query tags
ecs:DescribeTagKeysecs:DescribeTags
You can query tags in the ECS console.
Not allowed to call the API operations that are used to manage tags
ecs:DeleteTagsecs:UntagResourcesecs:CreateTagsecs:TagResources
The policy excludes all tag-related API operations from its permissions. This ensures that users still have permissions regardless of tag modifications.
Attach the custom policy to the userTest RAM user.
For more information, see Grant permissions to RAM users.
Step 2: Add tags to ECS instances
Use an Alibaba Cloud account to add tags to ECS instances.
If you do not have ECS instances, create ECS instances first. For more information, see Creation methods.
Log on to the Resource Management console. The Tags page appears.
In the top navigation bar, select a region.
On the Custom Tags tab, click Create Custom Tags.
In the Create Custom Tags dialog box, add the
owner:zhangsanandenvironment: productiontags to existing ECS instances.For more information, see Add a custom tag.
Step 3: Access ECS instances to which specific tags are added
Log on to the ECS console as the userTest RAM user and access instances to which specific tags are added.
Log on to the ECS console as the RAM user.
In the left-side navigation pane, choose .
In the top navigation bar, select a region.
On the Instances page, click Tags next to the search box and select the
owner:zhangsanandenvironment:productiontags.
View the resources to which only the
owner:zhangsanandenvironment:productiontags are added.