Tag restrictions are currently in grayscale release. If you need to try this service in advance or have any product suggestions, feel free to provide feedback at any time. You can submit an online ticket to apply for a trial.
Overview
For enterprises that use tags for resource authorization (for details, see Authorization by Tag), it is possible for sub-users to only operate resources with certain tags, and not others. This process achieves resource isolation among employees.
For enterprises with a large number of tags, when sub-users use tags, such as selecting tags when creating resources and editing resource tags, they access all tags at once, but the tags frequently used in daily operations are within a relatively fixed range. In this case, sub-users need to search to find the tags they need.
To address this, you can enable the tag restrictions feature to achieve tag isolation for sub-users. This means that sub-users can only select tags within the range authorized by Cloud Access Management (CAM) policies (Creating Custom Polices through Tag Authorization) when they create or edit resources, helping sub-users efficiently search tags.
Feature Range Description
Once the tag restrictions feature is enabled, it will apply to all sub-users and all products. Please thoroughly test before widely using it.
If sub-user A is bound to a CAM policy with a restricted range, sub-user A will be affected. However, if sub-user B is not bound to a CAM policy, sub-user B will not be affected.
When sub-user A is affected, it means this sub-user can only see the restricted tags when calling tag-related read APIs and viewing or editing tags in the console, while other tags remain invisible. Nevertheless, sub-user A is not affected when querying resources and calling tag-related write APIs. For example, if a resource is bound with 6 tags in DescribeResourceTags, but this sub-user can see only 2 tags, the result will still return all 6 tags.
A sub-user can be bound to multiple CAM policies. Each CAM policy can include multiple key-values. Ultimately, the sub-user can use the collection of all key-values from the CAM policies they are bound to. However, when the number of key-values in the collection exceeds 100, the sub-user's tag restrictions will become invalid, and they will gain access to all key-values under the root account.
For example, if sub-user A is bound to 3 CAM policies with a total of 20 key-values, the sub-user can only use those 20 key-values. However, if additional CAM policies are bound to the sub-user, accumulating a total of 101 key-values, the sub-user will then have access to all key-values under the root account.
Tag restrictions and tag policies are two different ways to constrain tag usage. Please choose one according to your needs; it is not recommended to use both at the same time.
There is an existing sub-user access1, who is only expected to use these key-values: Department: Product Center, Department: Development Center, and Associated Product: Product A. Other key-values are not available.
Directions
Step 1: The Administrator Confirms the Tag Range
Taking Department and Associated Product as example tag keys, the administrator sets three values for each.
Assign two tag keys to sub-user access1. It is expected that this sub-user can only use Department: Product Center, Department: Development Center, and Associated Product: Product A. Other key-values are not available.
Step 2: The Sub-user Is Granted CAM Policy Permissions
This document only explains the usage of tag restrictions. Here, the following policy is used as an example for authorizing sub-user access1.
This policy indicates that the sub-user can only operate VPC resources, under the condition that the resources have been bound with tags Department: Product Center, Department: Development Center, and Associated Product: Product A.
Method 1: Visualization Policy
Method 2: JSON
1. Log in to CAM console > Policies, and click Create Custom Policy > Authorize by Tag.
2. On the Authorize by Tag page, enter the following information as shown in the figure below:
1. Log in to CAM console > Policies, and click New Custom Policy > Tag-based Authorization.
2. On the Tag Authorization Policy page, click JSON, and enter the following information:
{"statement":[
{
"action":[
"vpc:*"
],
"condition":{
"for_any_value:string_equal":{
"qcs:resource_tag":[
"Department&Product Center",
"Department&Development Center",
"Associated Product&Product A"
]
}
},
"effect":"allow",
"resource":"*"
}
],
"version":"2.0"
}
Thus, after being granted CAM policy permissions, sub-user access1 can still use all key-values.
Step 3: Enable Tag limits
This feature can be enabled on the Tag limits page in the Tag console.
Step 4: Verify the Effects
1. Switch to the account of sub-user access1 and log in.
2. Go to Tag console >Tag List, and view tags. At this point, sub-user access1 can only see 3 key-values specified in the CAM policy, not all the key-values.
3. Go to VPC console >VPC, and click Create. In the Tag area, the drop-down list will only show the tag key-values specified in the authorization policy mentioned in Step 1, and other tag key-values will not appear.
4. Go to the Direct Connect Gateway console, and open the Edit Tag dialog box. In the drop-down list, only the authorized tag keys will appear.
Step 5: Disable Tag limits
This feature can be disabled on the Tag limits page in the Tag console.
FAQs
As shown above, sub-user access1 is used as an example.
If some resources that access1 was previously responsible for have already been bound to a tag, such as k1: v1, but the CAM policy bound to access1 by the administrator does not include k1: v1, then when the administrator subsequently enables tag restrictions, the following effect will occur: for existing tags, once this sub-user edits them, these key-values will be cleared. Because the tag restrictions constrain the range of tags that this sub-user can use, if the CAM policy does not include them, it is considered that this sub-user cannot use them.
Therefore, to address this issue, it is recommended that the administrator query in advance. If access1 is responsible for existing resources which already have tags (which can be found through Querying and Editing Resource Tags), then when a CAM policy is created, the tags that are already in use must be included.
When access1 also has AdministratorAccess permission, he or she will also have access to all tags.
Yes
No
Was this page helpful?