Use tags to control resource access - Resource Management

You can use tags with Resource Access Management (RAM) to enable fine-grained access control. After you attach tags to your resources, you can create a custom policy in RAM that requires specific tags for access. Attaching this policy to a RAM identity, such as a RAM user or a RAM role, restricts that identity's access to only resources with the specified tags. This method is flexible and scalable. When you add new resources, you only need to apply the correct tags instead of changing multiple policies. This topic uses a RAM user to demonstrate this process.

Resource types that support tag-based authorization

To see which resource types support tag-based authorization, log on to the Tag Console. On the Resource Types Supported by Tag page, check the Tag-based Authorization column.

How it works

The following figure shows how to use tags to control a RAM user's permissions.

In a custom policy, you use Conditions to specify authorized tags. The following Conditions are supported for tags:

Condition	Description
`acs:RequestTag/<tag-key>`	Specifies a tag that must be included in the request. The `<tag-key>` placeholder represents the actual tag key.
`acs:ResourceTag/<tag-key>`	Specifies a tag that must be attached to the resource being accessed. The `<tag-key>` placeholder represents the actual tag key.

Procedure

Create and attach tags.

Create and attach tags to resources in the Tag Console, Resource Center console, or the console of a specific cloud service. For instructions, see Create a tag and Attach tags to resources.
Create a custom policy.

In the RAM console, create a custom policy and configure the tag-based authorization conditions in the Condition element. For details, see Create a custom policy.

For example, the following policy allows a user to perform all management operations on ECS instances that have both the owner:alice and environment:production tags.
```
{
	"Effect": "Allow",
	"Action": "ecs:*",
	"Resource": "*",
	"Condition": {
		"StringEquals": {
			"acs:ResourceTag/owner": [
				"alice"
			],
			"acs:ResourceTag/environment": [
				"production"
			]
		}
	}
}
```
Create a RAM user and grant permissions.

In the RAM console, create a RAM user and attach the custom policy to it. For instructions, see Create a RAM user and Grant permissions to a RAM user.

Best practices

Cloud service	Tag authorization example
ECS	Use tags to control a RAM user's access to specific ECS instances Use tags to authorize groups of ECS instances Use tags to control the execution of Cloud Assistant commands
ECI	Use tags to authorize a RAM user
Auto Scaling (ESS)	Use tags to configure management permissions for scaling groups
SMC	Use tags to implement fine-grained access control
ApsaraDB RDS	Use tags to authorize groups of ApsaraDB RDS instances