A policy is composed of several sub-statements. Each sub-statement contains the following elements: policy_key, tag_key, tag_value, effective scope, etc.
Syntax Format
The policy syntax is based on the JSON format. If a created or updated policy does not meet the JSON format requirement, it cannot be successfully submitted and cannot take effect. Therefore, you must ensure that the JSON format is correct.
Syntax Conventions
The following is the general syntax of tag policies:
"detection":"on",//Detection is a system default enabled feature. It will check whether the Tag value is compliant for specified resources with specified Tag keys by default, and is not shown in json by default.
"correction":{"@@assign":"on"},//Automatic repair, can be enabled when specifying one value, but multiple specified values cannot be automatically repaired.
"auto_assign":{"@@assign":"on"},//Auto-fill.
"enforced_for":{"@@assign":["*"]},//Enforced.
"auto_assign_value":{"@@assign":"on"}//Auto-fill - Tag value
}
}
}
{
"tags":{
"Principal (Person in Charge)":{
"tag_key":{"@@assign":"principal"},
"tag_value_dynamic":{"@@assign":"on"},//Enable dynamic value, the value is determined based on the value of the similarly named Tag key of the Sub-user in CAM.
"detection":"on",//Detection is a system default enabled feature. It will check whether the Tag value is compliant for specified resources with specified Tag keys by default, and is not shown in json by default.
"correction":{"@@assign":"on"},//Automatic repair, even dynamic values have only one value, automatic repair can be enabled.
"auto_assign":{"@@assign":"on"},//Auto-fill.
"enforced_for":{"@@assign":["*"]},//Enforced.
"auto_assign_value":{"@@assign":"on"}//Auto-fill - Tag value
}
}
}
Elements
Element
Required
Description
Description in above example
tags
Yes
A tag policy always starts with tags. tags is always on the first line of a tag policy and is fixed.
tags, which is fixed
policy_key
Yes
Tag key, which identifies a compliant tag key and takes the same value as the policy key. Tag keys are case sensitive. You can define multiple tag keys in a tag policy.
principal is the tag key.
tag_key
Yes
Tag key, which identifies a compliant tag key and takes the same value as the policy key (case-sensitive). You can define multiple tag keys in a tag policy.
principal
tag_value
Yes
Tag value, which identifies a compliant tag value.
Tag value is set to name1 and use principal as a valid value
resource_type_scope
Yes
The effective scope of resource types, which is specified by the tag key-value pair.
Effective scope is limited to
ecs:instance,ecs:disk
detection
Yes
The system is enabled by default
on enables the Detection feature within the resource range where the Tag Key Value is effective
correction
No
Whether to enable Automatic repair. Acts as a switch for whether the Tag Key Value needs automatic repair
on enables the Automatic repair feature within the resource range where the Tag Key Value is effective
auto_assign
No
Whether to enable Auto-fill. Indicates whether the Tag Key needs to be displayed by default in the Edit Tag position
on enables the Auto-fill feature within the resource range where the Tag Key is effective
auto_assign_value
No
Whether to enable Auto-fill. Indicates whether the Tag Value needs to be displayed by default in the Edit Tag position
on enables the Auto-assignment Functionality within the resource range where the Tag Value is effective
enforced_for
No
Whether to enable Forcible Execution. Indicates whether to Block Affinity for Non-compliant Tag Key-value Pairs
* enables the Forcible Execution feature for All Resources with Tag Key-Value
Length Limit
Each policy is limited to 4096 characters. Exceeding this limit will prevent the policy from being submitted. If exceeded, please add a new policy.
Syntax Effective Rules
Object
You can bind a tag policy to multiple user entities (such as the root account and sub-users under the root account), but it will only be valid for the bound user.
When you bind a tag policy to the root account, it will only affect that root account.
When you bind a tag policy to a sub-user, it will only affect that sub-user.
Latency
When operating on resource tags, the effective object will check whether the resources are bound to the corresponding key-value pair in real time according to the tag policy. The latency in this process will be within 10 seconds.
Priority
You can bind multiple tag policies to a single user entity, but the earliest bound policy will take effect.
Operators
You can use operators to control the calculation rules in the tag policy. Only the assignment operator are currently supported.
Operator
Required
Description
Description in above example
@@assign
Yes
This operator is used to assign the specified content to the specified element.
Assign principal to the policy key and tag key
Assign name 1 to the tag value
Assign ecs:instance,ecs:disk to the effective scope of resource types
Assign on to whether the correction feature is enabled
Yes
No
Was this page helpful?