You can attach tags to ECS instances and configure a RAM custom policy so that specific RAM users can only view and manage the tagged instances.
Background
In a custom policy, authorized tags are specified in the condition block. The following condition keys apply to tags:
-
acs:RequestTag/<tag-key>: A tag that must be present in the API request. -
acs:ResourceTag/<tag-key>: A tag that must be attached to the resource being accessed.
Procedure
In this example, a RAM user named Alice can view and manage only ECS instances that carry both the owner:alice and environment:production tags.
The authorization process does not affect ECS instances that are already running.
Perform these steps with your Alibaba Cloud account or a RAM user that has administrative permissions.
-
Create a RAM user named Alice in the RAM console.
-
Attach tags to the target ECS instances.
Attach the
owner:aliceandenvironment:productiontags to the target ECS instances.Use one of the following methods to attach tags:
-
Create and attach the tags in the Tag console. Create a tag, Add tags.
-
Create and attach tags directly to your instances in the ECS console. Create and attach tags.
-
-
Create a custom policy named UseTagAccessRes in the RAM console.
Create a policy with the following content. Create a custom policy.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": [ "alice" ], "acs:RequestTag/environment": [ "production" ] } } }, { "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }, { "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" } ] }Policy description:
Policy
Description
{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/owner": "alice", "acs:RequestTag/environment": "production" } } }Allows actions such as creating an instance only if the request includes both the
owner:aliceandenvironment:productiontags.{ "Effect": "Allow", "Action": "ecs:*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/owner": [ "alice" ], "acs:ResourceTag/environment": [ "production" ] } } }Allows management operations on ECS instances that carry both the
owner:aliceandenvironment:productiontags.{ "Effect": "Allow", "Action": [ "ecs:List*", "ecs:DescribeInstanceStatus", "ecs:DescribeInstanceVncUrl", "ecs:DescribeInstanceAutoRenewAttribute", "ecs:DescribeInstanceRamRole", "ecs:DescribeInstanceTypeFamilies", "ecs:DescribeInstanceTypes", "ecs:DescribeInstanceAttachmentAttributes", "ecs:DescribeInstancesFullStatus", "ecs:DescribeInstanceHistoryEvents", "ecs:DescribeInstanceMonitorData", "ecs:DescribeInstanceMaintenanceAttributes", "ecs:DescribeInstanceModificationPrice", "ecs:DescribeA*", "ecs:DescribeC*", "ecs:DescribeD*", "ecs:DescribeE*", "ecs:DescribeH*", "ecs:DescribeIm*", "ecs:DescribeInv*", "ecs:DescribeK*", "ecs:DescribeL*", "ecs:DescribeM*", "ecs:DescribeN*", "ecs:DescribeP*", "ecs:DescribeR*", "ecs:DescribeS*", "ecs:DescribeT*", "ecs:DescribeZ*", "vpc:DescribeVpcs", "vpc:DescribeVSwitches" ], "Resource": "*" }Grants permissions to list and describe ECS instances. The console requires these permissions to display instance information before tag-based filters are applied.
{ "Effect": "Deny", "Action": [ "ecs:DeleteTags", "ecs:UntagResources", "ecs:CreateTags", "ecs:TagResources" ], "Resource": "*" }Denies permissions to create, attach, detach, or delete tags.
This prevents the RAM user from bypassing access restrictions by modifying tags.
-
Attach the UseTagAccessRes policy to the RAM user Alice in the RAM console.
When you grant the permission, set Account to Account, select the RAM user Alice as the Principal, and choose the custom policy UseTagAccessRes. Grant permissions to a RAM user.
Result verification
-
Log in to the ECS console as the RAM user Alice.
-
In the left-side navigation pane, choose .
-
In the upper-left corner of the top navigation bar, select the region.
-
On the Instance page, click Filter by Tag next to the search bar and select the
owner:aliceandenvironment:productiontags.ImportantThe RAM user must filter by the correct tags to view the tagged ECS instances. Otherwise, no instances are displayed.
-
Verify that you can view and manage only the ECS instances that have both the
owner:aliceandenvironment:productiontags.
References
RAM authorization describes the RAM authentication rules for ECS.