After you add tags to your Elastic Compute Service (ECS) resources, you can use the tags to categorize and control access to the resources. This topic uses ECS instances to demonstrate how to attach a policy to a RAM user and how the user uses tags to control access to the ECS instances.

Prerequisites

A RAM user is created within your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. The tags help you categorize, search for, and aggregate cloud resources that have the same characteristics from different dimensions. This simplifies resource management. You can add multiple tags to each cloud resource. For more information about cloud resources that support tags and the types of these resources, see Alibaba Cloud services that support tags and Types of resources that support Tag API operations.

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups.

By default, all resources within the current region are displayed in the resource list. To control the resources that are accessible to a RAM user, create a custom policy, attach the policy to the user, and add tags to the resources.

Step 1: Create a custom policy and attach the policy to a RAM user

In this step, create a custom policy named UserTagAccessRes by using an Alibaba Cloud account and attach the policy to the userTest RAM user. The UserTagAccessRes policy defines that the RAM user must specify the owner:zhangsan and environment:production tags before the user accesses ECS resources.

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create the UserTagAccessRes custom policy.

    For more information, see Create a custom policy.

    The following code shows how to configure multiple tags for cloud resources in a policy: 

    {
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan",
                    "ecs:tag/environment": "production"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}
    Permission Parameter Description
    Access resources to which specific tags are added
    • "ecs:tag/owner": "zhangsan"
    • "ecs:tag/environment": "production"
    		 You can control access to resources to which specific tags are added.
    Call the API operations that are used to query tags
    • ecs:DescribeTagKeys
    • ecs:DescribeTags
    		 You can query tags in the ECS console.
    Not allowed to call the API operations that are used to manage tags
    • ecs:DeleteTags
    • ecs:UntagResources
    • ecs:CreateTags
    • ecs:TagResources
    		 The policy excludes all tag-related API operations from its permissions. This ensures that users still have permissions regardless of tag modifications.
  3. Attach the custom policy to the userTest RAM user.
    For more information, see Grant permissions to a RAM user.

Step 2: Add tags to ECS instances

In this step, use an Alibaba Cloud account to add tags to ECS instances.

Note If you do not have ECS instances, create an instance first. For more information, see Creation method overview.
  1. Log on to the Resource Management console.
  2. In the left-side navigation pane, choose Tag > Tag.
  3. In the top navigation bar, select a region.
  4. On the Custom Tags tab, click Create Custom Tags.
  5. In the Create Custom Tags dialog box, add the owner:zhangsan and environment: production tags to existing ECS instances.
    For more information, see Add a custom tag.

Step 3: Access ECS instances to which specific tags are added

In this step, use the userTest RAM user to which the UseTagAccessRes policy is attached to log on to the ECS console and access ECS instances to which specific tags are added.

  1. Log on to the ECS console by using the RAM user.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select the desired region. No instances are displayed on the Instances page.
  4. Specify tags to view resources.