Use RAM users to control access to ECS instances by using tags - Elastic Compute Service

If you want to control access to multiple cloud resources, you can use tags to categorize your resources and simplify permission management. After you add tags to cloud resources, you can grant a Resource Access Management (RAM) user the permissions to access the resources with the specified tags. This helps control access to the resources. This topic describes how to attach a policy to a RAM user so that the RAM user can use tags to control access to ECS instances.

Prerequisites

A RAM user is created by using your Alibaba Cloud account. For more information, see Create a RAM user.

Background information

Tags are used to identify cloud resources. You can use tags to categorize, search for, and group cloud resources that have the same characteristics. This simplifies resource management. You can add multiple tags to a cloud resource. For more information about tags, see Overview.

Alibaba Cloud implements policy-based access control. You can configure policies in RAM based on the roles and responsibilities of users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups. You can use custom policies and tags to control access to resources from RAM users.

You can add tags to resources of ECS and other Alibaba Cloud services. By default, all resources within the current region are displayed in the resource list. If you want to control which resources are accessible to RAM users, you can use custom policies and tags to implement access control on resources.

Step 1: Create a policy in RAM by using your Alibaba Cloud account and attach the policy to a RAM user

This section describes how to use an Alibaba Cloud account to create a custom policy that contains specific tags and attach this policy to a RAM user. In the example, the UseTagAccessRes custom policy, the userTest RAM user, and the owner:zhangsan and environment:production tags are used.

Log on to the RAM console by using an Alibaba Cloud account.

Create the UseTagAccessRes custom policy. For more information, see Create custom policies.

The following code shows how to configure multiple tags for cloud resources in a policy:

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ecs:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ecs:tag/owner": "zhangsan",
                    "ecs:tag/environment": "production"
                }
            }
        },
        {
            "Action": [
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ecs:DeleteTags",
                "ecs:UntagResources",
                "ecs:CreateTags",
                "ecs:TagResources"
            ],
            "Resource": "*"
        }
    ],
    "Version": "1"
}

Policy	Policy content	Description
Grants the access permissions on the resources to which specific tags are added	`"ecs:tag/owner": "zhangsan"` `"ecs:tag/environment": "production"`	This policy allows you to control access to resources to which the specific tags are added.
Grants the permissions to query tags	`ecs:DescribeTagKeys` `ecs:DescribeTags`	This policy allows you to query tags in the ECS console.
Prohibits the calling of API operations that are used to manage tags	`ecs:DeleteTags` `ecs:UntagResources` `ecs:CreateTags` `ecs:TagResources`	This policy prohibits the calling of API operations that are used to manage tags. This ensures that users will not be deprived of permissions due to tag modifications.

Attach the custom policy to the RAM user or RAM user group for which you want to control access.
For more information, see Grant permissions to a RAM role. In this step, attach the UseTagAccessRes policy to the RAM user userTest.
Note
If you attach the UseTagAccessRes policy to an existing RAM user, note that multiple policies attached to a single RAM user may cause permission issues.

Step 2: Add tags to existing resources by using your Alibaba Cloud account

You can add tags to existing resources to control access to the resources. This section describes how to use an Alibaba Cloud account to create an ECS instance and add a tag to the instance.

Note

If you have no existing instances, create an instance first. For more information, see Creation methods.

Log on to the ECS console.
In the left-side navigation pane, click Tags.
On the Tags page, click Create Custom Tags. In the Create Custom Tags dialog box, create the owner:zhangsan and environment:production tags and add them to existing ECS instances. For more information about how to add a tag to a resource, see Create or add a tag.

Step 3: Access resources to which tags are added by using the RAM user

Use the userTest RAM user who is attached with the UseTagAccessRes policy to log on to the ECS console and access instances to which tags are added.

Note

You can add tags to the following types of resources: instances, Elastic Block Storage (EBS) devices, and snapshots. For more information, see ECS resources that support tags. In this example, ECS instances are used.

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select a region. No instances are displayed on the Instance page.
Specify tags to view resources.

References

You can add multiple tags to an ECS resource. For more information, see Create or add a tag.
You can remove or delete the tags that you no longer use. For more information, see Remove or delete a tag.
You can also use resource groups to group cloud resources based on usage, permissions, and ownership, so that you can manage the resources in a hierarchical manner for various users and projects. For more information, see Resource Group overview or Resource groups.