A policy is composed of several sub-statements. Each sub-statement contains the following elements: policy_key, tag_key, tag_value, effective scope, etc.
Syntax Format
The policy syntax is based on the JSON format. If a created or updated policy does not meet the JSON format requirement, it cannot be successfully submitted and cannot take effect. Therefore, you must ensure that the JSON format is correct.
Syntax Conventions
The following is the general syntax of tag policies:
"detection":"on",//Detection is a system feature which is enabled by default. It detects whether the tag values are compliant for the specified tag keys of resources. It is not shown in JSON by default.
"correction":{"@@assign":"on"},//Auto correction. It can be enabled when one value is specified, but multiple specified values cannot be automatically corrected.
"auto_assign":{"@@assign":"on"},//Auto assignment - tag key
"enforced_for":{"@@assign":["*"]},//Forcible execution. It intercepts tag binding when the value is not "value name 1", and binding another value is not allowed.
"auto_assign_value":{"@@assign":"on"}//Auto assignment - tag value
}
}
}
{
"tags":{
"Principal (Person in Charge)":{
"tag_key":{"@@assign":"principal"},
"tag_value_dynamic":{"@@assign":"on"},//The dynamic value is enabled. The value is determined based on the value of the tag key of the same name bound by the sub-user in CAM.
"detection":"on",//Detection is a system feature which is enabled by default. It detects whether the tag values are compliant for the specified tag keys of resources. It is not shown in JSON by default.
"correction":{"@@assign":"on"},//Auto correction. It can be enabled when there is only one dynamic value.
"auto_assign":{"@@assign":"on"},//Auto assignment - tag key
"enforced_for":{"@@assign":["*"]},//Forcible execution. It intercepts tag binding when the value is not "value name 1", and binding another value is not allowed.
"auto_assign_value":{"@@assign":"on"}//Auto assignment - tag value
}
}
}
Elements
Element
Required
Description
Description in above example
tags
Yes
A tag policy always starts with tags. tags is always on the first line of a tag policy and is fixed.
tags, which is fixed
policy_key
Yes
Tag key, which identifies a compliant tag key and takes the same value as the policy key. Tag keys are case sensitive. You can define multiple tag keys in a tag policy.
principal is the tag key.
tag_key
Yes
Tag key, which identifies a compliant tag key and takes the same value as the policy key (case-sensitive). You can define multiple tag keys in a tag policy.
principal
tag_value
Yes
Tag value, which identifies a compliant tag value.
Tag value is set to value name1 and use principal as a valid value
resource_type_scope
Yes
The effective scope of resource types, which is specified by the tag key-value pair.
Effective scope is limited to
ecs:instance,ecs:disk
detection
Yes
The system is enabled by default
on enables the Detection feature within the resource range where the Tag Key Value is effective
correction
No
Whether to enable Automatic repair. Acts as a switch for whether the Tag Key Value needs automatic repair
on enables the Automatic repair feature within the resource range where the Tag Key Value is effective
auto_assign
No
Whether to enable Auto-fill. Indicates whether the Tag Key needs to be displayed by default in the Edit Tag position
on enables the Auto-fill feature within the resource range where the Tag Key is effective
auto_assign_value
No
Whether to enable Auto-fill. Indicates whether the Tag Value needs to be displayed by default in the Edit Tag position
on enables the Auto-assignment Functionality within the resource range where the Tag Value is effective
enforced_for
No
Whether to enable Forcible Execution. Indicates whether to Block Affinity for Non-compliant Tag Key-value Pairs
* enables the Forcible Execution feature for All Resources with Tag Key-Value
tag_deletion_disable
No
Whether to enable 'Tag Deletion' gray out. After it is enabled, users cannot delete the tag key and must select a value.
on enables the 'Tag Deletion' gray out feature within the resource range where the tag key takes effect.
Policy Length Limit
Each policy is limited to 4096 characters. Exceeding this limit will prevent the policy from being submitted. If exceeded, please add a new policy, see Use Limits in the Overview.
Syntax Effective Rules
Object
You can bind a tag policy to multiple user entities (such as the root account and sub-users under the root account), but it will only be valid for the bound user.
When you bind a tag policy to the root account, it will only affect that root account.
When you bind a tag policy to a sub-user, it will only affect that sub-user.
Effective Time
When operating on resource tags, the effective object will check whether the resources are bound to the corresponding key-value pair in real time according to the tag policy. The latency in this process will be within 10 seconds.
Priority
You can bind multiple tag policies to a user entity, but multiple tag policies will be merged into one valid policy. The merging rules are as follows:
1. If policy keys are not the same, multiple policy keys will be used. However, the total number of policy keys in a valid policy does not exceed 50. Otherwise, those behind the 51st will not be merged.
2. If policy keys are the same and the tag value rule agreed for each policy key is different, the tag policy bound first will prevail. For example, Policy A requires value = 1 for key = 1, but Policy B requires value=2 for key=1. Policy A will prevail if it is bound to the user first.
Operators
You can use operators to control the calculation rules in the tag policy. Only the assignment operator are currently supported.
Operator
Required
Description
Description in above example
@@assign
Yes
This operator is used to assign the specified content to the specified element.
Assign principal to the policy key and tag key
Assign name 1 to the tag value
Assign ecs:instance,ecs:disk to the effective scope of resource types
Assign on to whether the correction feature is enabled
