Tags are used to identify resources. Tags allow you to categorize, search for, and aggregate resources that have the same characteristics from different dimensions. This facilitates resource management. This topic describes how to add tags to resources and ensure tag compliance.
Why are tags required for resources?
As the number of cloud resources rapidly increases, it becomes increasingly unreliable to classify and manage resources based on human memory or manual records. Issues such as how to quickly identify resource ownership, determine cost attribution, and implement fine-grained permission management have become common challenges faced by enterprises.
To address these challenges, you can add tags to resources based on multiple dimensions such as department, project, and environment. These tags can help you manage resources, allocate costs, and perform fine-grained authorization from different dimensions, thereby improving resource management efficiency.
How can standardized tags be added to resources?
Stage 1: Plan and design tags
-
Check whether the types of resources used by your business support tags and determine the tag-related capability items supported by the resource types. For more information, see Services that work with Tag.
-
Define tagging dimensions, such as organizational structure, project, and purpose.
-
Develop unified naming conventions for tags.
For more information, see Best practices for tag design.
Stage 2: Create predefined tags
You can create predefined tags in the Resource Management console based on your tag planning. When you add tags to resources, you can select tags from the predefined tags without the need to manually enter them. This ensures the accuracy of operations such as resource classification and permission assignment. For more information, see Create a tag.
For example, you can create a predefined tag whose key is CostCenter and value is Beijing or Shanghai.
Stage 3: Add tags to resources
Add tags to newly created resources
Add compliant tags when you create a resource
-
Create a tag policy to enable pre-event interception of non-compliant tags.
You can use the pre-event interception feature of tag policies to ensure that compliant tags are added when you create a resource. Otherwise, the resource fails to be created. For more information, see Enable pre-event interception of non-compliant tags.
For example, you can create a tag policy to define that the
CostCenter:BeijingorCostCenter:Shanghaitag must be added when you create Elastic Compute Service (ECS) instances. When you create an ECS instance, if you add a non-compliant tag such asCostCenter:beijingorCostCenter:Shenzhenor add no tags to the instance, the instance fails to be created.On the Tag Policy Settings page, set Pre-Event Interception Without Tags to On.
In the Policy Scenario section, select Add Tags with Specified Tag Values to Resources. Then, enter the tag key and tag values in the Tag Key and Allowed Tag Values fields, respectively.
In the Policy Enforcement Mode section, select both Post-Event Detection and Pre-Event Interception, and then click Edit Supported Resource Types to add the target resource types.
-
Add a tag when you create a resource.
-
Console
When you create a resource in the console of an Alibaba Cloud service, add tags to the resource. For more information, see the documentation of the Alibaba Cloud service.
For example, when you create an ECS instance, you can add a tag to it. You can directly select a predefined tag key and a predefined tag value to add a predefined tag to the instance. For information about how to create an ECS instance, see Create an instance by using the wizard.
For example, for the tag key CostCenter, you can select Beijing or Shanghai from the drop-down list of tag values.
-
API operation
When you create a resource by calling the related API operation of an Alibaba Cloud service, you can specify tags by using the related parameters to add tags to the resource. For more information, see the documentation of the Alibaba Cloud service.
For example, when you call the RunInstances operation to create an ECS instance, you can use the
Tagrequest parameters to specify tags to be added to the instance.
As a tag policy is configured in the previous step, the ECS instance fails to be created if no tags or non-compliant tags are added to the instance. The following figure shows the error message reported for the failure.
The console displays an "Order failed" pop-up window with the error message: "The request does not conform to the tag policy."
-
Enable createdby tags to be automatically added when you create a resource
createdby tags can help you analyze costs and bills and manage the costs of cloud resources in an efficient manner. You can identify the creators of resources based on the createdby tags added to the resources. You can enable createdby tags based on your business requirements. After you enable createdby tags, the system automatically adds createdby tags to newly created resources. The tag key of createdby tags is acs:tag:createdby. The system does not add createdby tags to the resources that are created before you enable createdby tags. For more information, see Overview of createdby tags and Enable createdby tags.
createdby tags are system tags. You cannot manually add them to or remove them from resources. createdby tags are not included in the number of tags that can be added to a resource.
Add tags to existing resources
Manually add tags
-
Console
Apply tags to resources in the Tag console, the Resource Center console, or the console of the respective cloud service. The Tag console and Resource Center support applying tags to resources across services and regions in batches. The following steps describe how to use the Tag console. For more information, see Add predefined tags to existing resources.
On the Tags page of the Tag console, find the target tag key, such as CostCenter, and click Bind Resources next to the corresponding tag value or use the More Actions menu to bind the tag to resources.
-
API operation
Call the TagResource operation provided by the Tag service or a tag-related operation provided by an Alibaba Cloud service to add tags to an existing resource. The TagResource operation allows you to add tags to multiple resources that belong to different services at a time.
Enable automatic tagging
-
Tag inheritance of associated resources
Resource Management provides the tag inheritance feature for associated resources. When you manage the tags of a primary resource or establish relationships between the primary resource and other resources, this feature enables the associated resources of the primary resource to automatically inherit the tag changes that are made to the primary resource. This improves O&M efficiency and reduces tag management costs. For example, when you add a tag to or remove a tag from an ECS instance, the tag is automatically added to or removed from the cloud disks, elastic network interface (ENI), and elastic IP address (EIP) of the ECS instance. When you attach a cloud disk to the ECS instance, bind an ENI to the ECS instance, or associate an EIP with the ECS instance, the cloud disk, ENI, or EIP automatically inherits the tags of the ECS instance. For more information, see Tag inheritance of associated resources.
On the Tag Inheritance for Associated Resources page, in the Associated Resources Follow Tag Edits section, select the Enable associated resources to follow tag edits. This creates a service-linked role named AliyunServiceRoleForTag. checkbox, and then click Enable and Set Rules.
-
Tag policies
You can create a tag policy and select the desired scenario in the policy to implement automatic detection of non-compliant tags, automatic remediation of non-compliant tags, or automatic tag inheritance from resource groups.
Policy scenario
Description
References
Add Tags with Specified Tag Values to Resources
In a tag policy, you can specify tags that must be added to resources. You can also enable features such as automatic detection and remediation for non-compliant tags based on the execution modes you specify for the tag policy. This improves tag management.
Match Tag Values with Specified Regular Expression
You can specify a regular expression in a tag policy to limit the format of tag values. Tag values that do not match the regular expression can be automatically remediated.
Automatically Inherit Tags for Resources from Resource Groups
After you add tags to a resource group, you can configure a tag policy to use the automatic tag inheritance feature. This feature allows resources that are added to or created in a resource group to automatically inherit the tags that are added to the resource group. This way, tags can be quickly added to resources in the resource group at a time.
-
CloudOps Orchestration Service (OOS)
You can use a public template provided by OOS to create an execution to add multiple tags to multiple resources at a time. For more information, see Use OOS to add multiple tags to resources at a time and Use OOS to add tags to multiple ECS instances at a time.
Stage 4: Use tags
-
Search for resources.
You can add tags to resources and search by tag in the Resource Management console or by API. For more information, see Find resources using tags.
-
Allocate costs.
Plan tags by dimension, such as region, department, environment, or project, then use Cost Analysis and Split Bill to manage costs. For more information, see Tag-based cost allocation.
-
Automate O&M
Tag resources by environment (production, test), OS (Windows, Linux), or platform (iOS, Android), then create a template in CloudOps Orchestration Service (OOS) to automate O&M. For more information, see Use tags for automated O&M.
-
Control resource access
Use tags with Resource Access Management (RAM) to control the access and operation permissions of RAM users on resources. For more information, see Use tags to control resource access.
How can tags be planned for multiple Alibaba Cloud accounts?
If your enterprise uses multiple Alibaba Cloud accounts, we recommend that you create a resource directory, add the accounts to the resource directory as members, and then use the Account Factory feature provided by Cloud Governance Center to create a predefined tag or enable createdby tags for multiple members in the resource directory at a time. This improves the efficiency of planning tags in multi-account scenarios. For more information, see Use Cloud Governance Center to enable createdby tags for multiple members in a resource directory at a time and Use Cloud Governance Center to create a predefined tag for multiple members in a resource directory at a time.