Function Compute allows you to classify service resources that have the same features by using tags. Tags facilitate resource search and aggregation. You can use the tagging feature to group services and authorize different roles to manage services in different groups. This topic describes the usage notes and limits of tag and how to manage tags in the Function Compute console.

Usage notes

  • Tags and service resources are in a many-to-many relationship.
  • Each tag consists of a key-value pair.
  • A tag serves as a condition to implement fine-grained authorization on resources within a specified scope.
  • All resources of a service, such as versions, aliases, functions, and triggers, inherit the tags attached to the service.
    • Tag-based authorization is supported if you specify the service in your API requests.
    • The metadata of tags for different versions of a service are the same. Therefore, a change to the tag of a service affects tag-based authorization that involve all versions and aliases of the service.

Limits

  • Each tag key must be 1 to 64 case-sensitive Unicode characters in length.
  • Each tag value must be 1 to 128 case-sensitive Unicode characters in length.
  • A maximum of 20 tags can be attached to each resource.
  • A tag key supports ASCII codes, digits, and following special characters: -\.!@#$%?/^&*)(+={}[\\]",'<>~·`:;|_. A tag key cannot start with aliyun or acs:, contain http:// or https://, or be an empty string.
  • A tag value supports ASCII codes, digits, and the following special characters: -\.!@#$%?/^&*)(+={}[\\]",'<>~·`:;|_. A tag value cannot contain http:// or https://, or be an empty string.
  • Tag information cannot be shared across regions. For example, if you select the China (Shanghai) region, you cannot view the tags of instances that are created in the China (Hangzhou) region.

Create a tag

  1. Log on to the Function Compute console. In the left-side navigation pane, click Services & Functions.
  2. In the top navigation bar, select a region. On the Services page, click the desired service.
  3. In the left-side navigation pane, click Service Details.
  4. In the Basic Settings section, move the pointer over the Tag icon next to Tag and click Bind.
  5. In the Modify Tag dialog box, specify Key and Value, and click OK.
    After you create a tag, move the pointer over the Tag icon on the Service Details page. The new tag appears. You can also update or delete tags based on your business requirements by following the on-screen instructions in the console.

Use tags to perform group-based service authorization

For example, you have created 10 services in the Function Compute console. You want to authorize the dev team to manage five services and the ops team to manage the other five services. In addition, you want the dev and ops teams to view only the services that they are authorized to manage. In this case, you can attach different tags to the services for different teams, add RAM users in different teams to different user groups, and grant the corresponding permissions to these groups. You can attach the team:dev tag to five services and the team:ops tag to the other five services.

  1. Attach the team:dev tag to the five services that you want to authorize the dev team to manage, and attach the team:ops tag to the five services that you want to authorize the ops team to manage. For more information, see Create a tag.
  2. Create a RAM user.
  3. Create a user group.
    Create two user groups named dev and ops.
  4. Add a RAM user to a RAM user group.
    Add RAM users in different teams to different user groups.
  5. Grant different permissions to the two user groups.
    Function Compute supports system policies and custom policies. You can select a policy based on your business requirements.
    • Grant permissions to different user groups by using system policies.

      For more information, see Grant permissions to a RAM user group.

    • Grant permissions to different user groups by using custom policies.
      1. Create a custom policy.
        For example, you can create a custom policy named policyForDevTeam that is used to grant permissions to the dev team. The following sample code shows the policy:
        {
            "Statement": [
                {
                    "Action": "fc:*",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Condition": {
                        "StringEquals": {
                            "fc:tag/team": "dev"
                        }
                    }
                },
                {
                    "Action": "fc:ListServices",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": "fc:GetResourceTags",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "1"
        }         
        Then, you can create a custom policy named policyForOpsTeam that is used to grant permissions to the ops team. The following sample code shows the policy:
        {
            "Statement": [
                {
                    "Action": "fc:*",
                    "Effect": "Allow",
                    "Resource": "*",
                    "Condition": {
                        "StringEquals": {
                            "fc:tag/team": "ops"
                        }
                    }
                },
                {
                    "Action": "fc:ListServices",
                    "Effect": "Allow",
                    "Resource": "*"
                },
                {
                    "Action": "fc:GetResourceTags",
                    "Effect": "Allow",
                    "Resource": "*"
                }
            ],
            "Version": "1"
        }          
      2. Grant permissions to a RAM user group.

        Select the created custom policies when you grant permissions to the two user groups.

    After the authorization is complete, the RAM users in the dev user group can manage only the services tagged with team:dev and the RAM users in the ops user group can manage only the services tagged with team:ops.