All Products
Search
Document Center

Resource Management:Tag policy syntax

Last Updated:Jun 10, 2026

Tag policies use JSON syntax with inheritance operators to enforce tagging rules across your resource hierarchy.

Syntax

Tag policies use JSON format. The syntax varies by scenario.

Add tags with specific values to resources

This policy type starts with tags.

Element

Required

Description

Example

Policy key

Yes

Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys.

color

Tag key

Yes

Specified by tag_key. Case-sensitive.

COLER

Tag value

Yes

Specified by tag_value. Use an asterisk (*) to match any value.

red, green, and grey

Resource type scope

No

Use resource_type_scope to specify the resource types for which the policy takes effect. Defaults to all resource types that support tag policies.

ecs:instance

Region scope

No

Use region_scope to specify the regions in which the policy takes effect. Defaults to all regions.

cn-hangzhou

Resource group scope

No

Use rg_scope to specify the resource groups for which the policy takes effect. Defaults to all resource groups.

rg-xxxx

Pre-event interception

No

Use enforced_for to specify resource types for pre-event interception. Disabled by default.

ecs:instance

Automatic remediation

No

Use tag_value_correction to enable automatic remediation for non-compliant resources. Disabled by default.

{
	"red": {
		"value_type": "Tag",
		"value_scope": {
			"acs:rm:rgId": "rg-xx1"
		}
	}
}

Inheritance operator

Yes

Aggregates attached and inherited tag policies to compute the effective policy for the object.

Inheritance operators

Sample code:

{
    "tags": {
        "color": {
            "tag_key": {
                "@@operators_allowed_for_child_policies": [
                    "@@none"
                ],
                "@@assign": "COLER"
            },
            "tag_value": {
                "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "red",
                    "green",
                    "grey"
                ]
            },
          	"resource_type_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "ecs:instance"
                ]
            },
          	"region_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "cn-hangzhou"
                ]
            },
          	"rg_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "rg-xxxx"
                ]
            },
            "enforced_for": {
              "@@operators_allowed_for_child_policies": [
                    "@@remove"
                ],
                "@@assign": [
                    "ecs:instance"
                ]
            },
            "tag_value_correction": {
                "@@operators_allowed_for_child_policies": [
                    "@@none"
                ],
                "@@assign": {
                    "red": {
                        "value_type": "Tag",
                        "value_scope": {
                            "acs:rm:rgId": "rg-xx1"
                        }
                    },
                    "green": {
                        "value_type": "Tag",
                        "value_scope": {
                            "k1": "v2"
                        }
                    },
                    "grey": {
                        "value_type": "Tag",
                        "value_scope": {
                            "k111": "v222"
                        }
                    }
                }
            }
        }
    }
}

Automatic tag inheritance from resource groups

This policy type starts with rg_inherit.

Element

Required

Description

Example

Policy key

Yes

Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys.

color

Tag key

Yes

Specified by tag_key. Case-sensitive.

COLER

Resource type scope

No

Use resource_type_scope to specify the resource types for which the policy takes effect. Defaults to all resource types that support tag policies.

ecs:instance

Region scope

No

Use region_scope to specify the regions in which the policy takes effect. Defaults to all regions.

cn-hangzhou

Resource group scope

No

Use rg_scope to specify the resource groups for which the policy takes effect. Defaults to all resource groups.

rg-xxxx

Inheritance operator

Yes

Aggregates attached and inherited tag policies to compute the effective policy for the object.

Inheritance operators

Sample code:

{
    "rg_inherit": {
        "color": {
            "tag_key": {
                "@@operators_allowed_for_child_policies": [
                    "@@none"
                ],
                "@@assign": "COLER"
            },
          	"resource_type_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "ecs:instance"
                ]
            },
          	"region_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "cn-hangzhou"
                ]
            },
          	"rg_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "rg-xxxx"
                ]
            }
        }
    }
}

Match tag values against a regular expression

This policy type starts with matched_tags.

Element

Required

Description

Example

Policy key

Yes

Uniquely identifies a statement. Must be lowercase. Multiple policy keys allowed per policy. Case-insensitive match with tag keys.

number

Tag key

Yes

Specified by tag_key. Case-sensitive.

NUMBER

Tag value

Yes

Specified by tag_value as a regular expression.

^[0-9]+$

Resource type scope

No

Use resource_type_scope to specify the resource types for which the policy takes effect. Defaults to all resource types that support tag policies.

ecs:instance

Region scope

No

Use region_scope to specify the regions in which the policy takes effect. Defaults to all regions.

cn-hangzhou

Resource group scope

No

Use rg_scope to specify the resource groups for which the policy takes effect. Defaults to all resource groups.

rg-xxxx

Automatic remediation

No

Use tag_value_correction to enable automatic remediation for non-compliant resources. Disabled by default.

{
	"1": {
		"value_type": "Tag",
		"value_scope": {
			"acs:rm:rgId": "rg-xx1"
		}
	}
}

Inheritance operator

Yes

Aggregates attached and inherited tag policies to compute the effective policy for the object.

Inheritance operators

{
    "matched_tags": {
        "number": {
            "tag_key": {
                "@@operators_allowed_for_child_policies": [
                    "@@none"
                ],
                "@@assign": "NUMBER"
            },
            "tag_value": {
                "@@operators_allowed_for_child_policies": [
                    "@@assign"
                ],
                "@@assign": [
                    "^[0-9]+$"
                ]
            },
          	"resource_type_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "ecs:instance"
                ]
            },
          	"region_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "cn-hangzhou"
                ]
            },
          	"rg_scope": {
              "@@operators_allowed_for_child_policies": [
                    "@@append"
                ],
                "@@assign": [
                    "rg-xxxx"
                ]
            },
            "tag_value_correction": {
                "@@operators_allowed_for_child_policies": [
                    "@@none"
                ],
                "@@assign": {
                    "1": {
                        "value_type": "Tag",
                        "value_scope": {
                            "acs:rm:rgId": "rg-xx1"
                        }
                    },
                    "2": {
                        "value_type": "Tag",
                        "value_scope": {
                            "k1": "v2"
                        }
                    },
                    "3": {
                        "value_type": "Tag",
                        "value_scope": {
                            "k111": "v222"
                        }
                    }
                }
            }
        }
    }
}

Inheritance operators

Inheritance operators aggregate attached and inherited tag policies to compute the effective policy for an object. They fall into two categories: value-setting operators and child control operators.

Note

In the Quick Mode of the console, only the @@assign operator is supported. Use JSON mode for other operators.

  • Value-setting operators

    Operator

    Description

    @@assign

    Overwrites conflicting settings.

    • When a setting in an attached policy conflicts with the inherited policy, the attached policy takes precedence.

    • When multiple @@assign settings in attached policies conflict, the first-attached policy takes precedence.

    @@append

    Appends the attached policy's setting to the inherited policy. Only applicable when multiple tag values are specified for a tag key.

    @@remove

    Removes the specified setting from the inherited policy. Only applicable when multiple tag values are specified for a tag key.

  • Child control operators

    Child control operators limit which value-setting operators child policies can use. By default, all value-setting operators are allowed.

    Operator

    Description

    "@@operators_allowed_for_child_policies":["@@all"]

    Allows all value-setting operators in child policies attached to subfolders and members. This is the default behavior.

    "@@operators_allowed_for_child_policies":["@@assign"

    Restricts child policies to the specified value-setting operators only. You can list one or more operators.

    "@@operators_allowed_for_child_policies":["@@none"]

    Blocks all value-setting operators in child policies. Locks the parent policy settings so they serve as the effective policy.

References