You can use a tag policy only after you enable the Tag Policy feature.
Background information
Modes of the Tag Policy feature
Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.
Scenario | Type of the logon account | Mode of the Tag Policy feature | References |
If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users. | Alibaba Cloud account that is not the management account or a member of a resource directory | Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account. | Use an Alibaba Cloud account to enable the Tag Policy feature |
If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory. | Management account of a resource directory | You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
| Use the management account of a resource directory to enable the Tag Policy feature |
Member of a resource directory | The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:
| Use a member of a resource directory to enable the Tag Policy feature |
RAM permissions
You can use an Alibaba Cloud account or a RAM user within the Alibaba Cloud account to enable the Tag Policy feature. For security purposes, we recommend that you use a RAM user. To use a RAM user to enable the Tag Policy feature, you must grant the following permissions to the RAM user. For more information, see Create a custom policy and Grant permissions to the RAM user.
{
"Version": "1",
"Statement": [
{
"Action": [
"tag:GetConfigRuleReport",
"tag:GenerateConfigRuleReport",
"tag:GetEffectivePolicy",
"tag:ListConfigRulesForTarget",
"tag:ListPoliciesForTarget",
"tag:ListTargetsForPolicy",
"tag:ListPolicies",
"tag:GetPolicy",
"tag:GetPolicyEnableStatus",
"tag:DetachPolicy",
"tag:DeletePolicy",
"tag:ModifyPolicy",
"tag:AttachPolicy",
"tag:CreatePolicy",
"tag:DisablePolicyType",
"tag:EnablePolicyType"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"rd:ListAccountsForParent",
"rd:ListFoldersForParent",
"rd:GetResourceDirectory",
"config:GetAggregateResourceComplianceByConfigRule",
"config:ListAggregateConfigRuleEvaluationResults",
"config:GetAggregateConfigRulesReport",
"config:GetResourceComplianceGroupByRegion",
"config:ListConfigRuleEvaluationResults",
"config:GetConfigRulesReport",
"config:ListRemediations",
"oos:ListExecutions"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Use an Alibaba Cloud account to enable the Tag Policy feature
You can use an Alibaba Cloud account that is not the management account or a member of a resource directory to enable the Tag Policy feature that is in single-account mode.
Log on to the Resource Management console.
In the left-side navigation pane, choose .
On the Policy Library page, click Enable Tag Policy.
In the Enable Tag Policy message, click OK.
When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.
Use the management account of a resource directory to enable the Tag Policy feature
You can use the management account of a resource directory to enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.
Log on to the Resource Management console.
In the left-side navigation pane, choose .
On the Policy Library page, click Enable Tag Policy.
In the Enable Tag Policy dialog box, specify the mode of the Tag Policy feature that you want to enable.
You can select both or one of the following options:
Enable Tag Policy for Resource Directory: If you select this option, the Tag Policy feature in resource directory mode is enabled.
Enable Tag Policy for Current Account: If you select this option, the Tag Policy feature in single-account mode is enabled.
Click OK.
When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.
Use a member of a resource directory to enable the Tag Policy feature
If the Tag Policy feature is not enabled for a resource directory, a member of the resource directory can be used to enable the Tag Policy feature that is in single-account mode.
Use a member of a resource directory to log on to the Alibaba Cloud Management Console.
For more information, see Use a member to log on to the Alibaba Cloud Management Console.
Log on to the Resource Management console.
In the left-side navigation pane, choose .
On the Policy Library page, click Enable Tag Policy.
In the Enable Tag Policy message, click OK.
When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.