Using Tags to Control Access to Huawei Cloud Resources
You can use tags to control access to your Huawei Cloud resources that support tagging. Tags can be attached to resources, so you can create identity policies to control access to resources with tags.
To control access based on tags, you need to provide tag information in the Condition element of an identity policy. You can then create an identity policy that allows or denies access to a resource based on the tag attached to that resource. In this identity policy, you can use tag condition keys to control access to any of the following:
- Resource: Use the g:ResourceTag/key-name condition key to determine whether to allow access to the resource based on the tag attached to the resource.
- Request: If a tag is included in an API calling request (for example, calling the API for tagging a resource during or after the resource creation), use the g:RequestTag/key-name condition key to specify the tags that can be added, modified, or deleted from the resource.
- Principal: Control what actions are allowed to be performed by the principal (IAM user or trust agency) based on the tags attached to the principal. To do this, use the g:PrincipalTag/key-name condition key to specify the tags that must be attached to the principal to allow for the request.
- Authorization: Use the g:TagKeys condition key to control whether specific tag keys can be used in a request. If a tag is included in an API calling request (for example, calling the API for tagging a resource during or after the resource creation), the request contains g:TagKeys, which refers to a list of tag keys.
Controlling Access to Huawei Cloud Resources
You can use condition keys in IAM identity policies to control access to Huawei Cloud resources based on the tags on those resources. You can do this using the global condition key g:ResourceTag/key-name.
In the following example, only the user who created the ECS can start or stop the ECS. For example, if you have an IAM user named ecsAdministrator, the ECS created by this user will be tagged with Owner=ecsAdministrator.
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:start",
"ecs:cloudServers:stop"
],
"Resource": [
"ecs:*:*:instance:*"
],
"Condition": {
"StringEquals": {
"g:ResourceTag/Owner": [
"${g:UserName}"
]
}
}
}
]
}
Controlling Access Based on Tag Key-Value Pairs
You can use condition keys in IAM identity policies to control which tag key-value pairs can be passed in a request (the Huawei Cloud resource involved in the request must support the tagging function).
{
"Version": "5.0",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:batchCreateServerTags"
],
"Condition": {
"StringEquals": {
"g:RequestTag/Owner": [
"ecsAdministrator",
"ecsDeveLop"
]
}
}
}
]
}
Controlling Access Based on Tag Keys
You can use condition keys in IAM identity policies to control whether specific condition keys can be used in a request.
{
"Version": "5.0",
"Statement": [{
"Effect": "Allow",
"Action": [
"ecs:cloudServers:batchCreateServerTags"
],
"Condition": {
"ForAnyValue:StringEquals": {
"g:TagKeys": [
"Owner",
"Share"
]
}
}
}]
}
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
