All Products
Search
Document Center

Resource Management:Enable the Tag Policy feature

Last Updated:Aug 30, 2023

You can use a tag policy only after you enable the Tag Policy feature.

Background information

Modes of the Tag Policy feature

Resource Management allows you to enable the Tag Policy feature in single-account mode or in resource directory mode. You can enable the Tag Policy feature that is in a specific mode based on your business scenario and the type of your logon account. The following table describes the two modes.

Scenario

Type of the logon account

Mode of the Tag Policy feature

References

If your business in the cloud is simple and you use a single Alibaba Cloud account and the RAM users within the Alibaba Cloud account to perform management operations, you can use the Alibaba Cloud account to enable the Tag Policy feature that is in single-account mode. Then, you can use tag policies to manage the tag-related operations performed by using the Alibaba Cloud account or the RAM users.

Alibaba Cloud account that is not the management account or a member of a resource directory

Single-account mode: The Tag Policy feature in this mode can be used to manage tag-related operations performed by using an Alibaba Cloud account or the RAM users within the Alibaba Cloud account.

Use an Alibaba Cloud account to enable the Tag Policy feature

If your business in the cloud is complex and you use a resource directory to manage all your accounts, you can use the management account of the resource directory to enable the Tag Policy feature that is in resource directory mode. Then, you can use tag policies to manage the tag-related operations performed by using a member of the resource directory.

Management account of a resource directory

You can enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.

  • Resource directory mode: The Tag Policy feature in this mode can be used to manage the tag-related operations performed by using a member of the resource directory.

    Important

    If a member of the resource directory is used to enable the Tag Policy feature that is in single-account mode, the management account of the resource directory cannot be used to enable the Tag Policy feature that is in resource directory mode. To enable the Tag Policy feature that is in resource directory mode, you must first disable the Tag Policy feature that is in single-account mode and enabled by using the member.

  • Single-account mode: The Tag Policy feature in this mode can be used to manage only tag-related operations performed by using the management account of the resource directory.

Use the management account of a resource directory to enable the Tag Policy feature

Member of a resource directory

The following situations may occur based on whether the Tag Policy feature is enabled for a resource directory:

  • If the Tag Policy feature is not enabled for the resource directory, you can use a member of the resource directory to enable the Tag Policy feature that is in single-account mode to manage only the tag-related operations performed by using the member.

  • If the Tag Policy feature is enabled for the resource directory, you cannot use a member of the resource directory to enable the Tag Policy feature that is in single-account mode. Tag policies are managed by using the management account of the resource directory in a centralized manner. You can use the member only to view the effective policy of the member.

Use a member of a resource directory to enable the Tag Policy feature

RAM permissions

You can use an Alibaba Cloud account or a RAM user within the Alibaba Cloud account to enable the Tag Policy feature. For security purposes, we recommend that you use a RAM user. To use a RAM user to enable the Tag Policy feature, you must grant the following permissions to the RAM user. For more information, see Create a custom policy and Grant permissions to the RAM user.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
              "tag:GetConfigRuleReport",
              "tag:GenerateConfigRuleReport",
              "tag:GetEffectivePolicy",
              "tag:ListConfigRulesForTarget",
              "tag:ListPoliciesForTarget",
              "tag:ListTargetsForPolicy",
              "tag:ListPolicies",
              "tag:GetPolicy",
              "tag:GetPolicyEnableStatus",
              "tag:DetachPolicy",
              "tag:DeletePolicy",
              "tag:ModifyPolicy",
              "tag:AttachPolicy",
              "tag:CreatePolicy",
              "tag:DisablePolicyType",
              "tag:EnablePolicyType"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "rd:ListAccountsForParent",
                "rd:ListFoldersForParent",
                "rd:GetResourceDirectory",
                "config:GetAggregateResourceComplianceByConfigRule",
                "config:ListAggregateConfigRuleEvaluationResults",
                "config:GetAggregateConfigRulesReport",
                "config:GetResourceComplianceGroupByRegion",
                "config:ListConfigRuleEvaluationResults",
                "config:GetConfigRulesReport",
                "config:ListRemediations",
                "oos:ListExecutions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Use an Alibaba Cloud account to enable the Tag Policy feature

You can use an Alibaba Cloud account that is not the management account or a member of a resource directory to enable the Tag Policy feature that is in single-account mode.

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Tag Policy > Policy Library.

  3. On the Policy Library page, click Enable Tag Policy.

  4. In the Enable Tag Policy message, click OK.

    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.

Use the management account of a resource directory to enable the Tag Policy feature

You can use the management account of a resource directory to enable the Tag Policy feature in both modes or in one of the modes based on your business requirements.

  1. Log on to the Resource Management console.

  2. In the left-side navigation pane, choose Tag Policy > Policy Library.

  3. On the Policy Library page, click Enable Tag Policy.

  4. In the Enable Tag Policy dialog box, specify the mode of the Tag Policy feature that you want to enable.

    You can select both or one of the following options:

    • Enable Tag Policy for Resource Directory: If you select this option, the Tag Policy feature in resource directory mode is enabled.

    • Enable Tag Policy for Current Account: If you select this option, the Tag Policy feature in single-account mode is enabled.

  5. Click OK.

    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.

Use a member of a resource directory to enable the Tag Policy feature

If the Tag Policy feature is not enabled for a resource directory, a member of the resource directory can be used to enable the Tag Policy feature that is in single-account mode.

  1. Use a member of a resource directory to log on to the Alibaba Cloud Management Console.

  2. Log on to the Resource Management console.

  3. In the left-side navigation pane, choose Tag Policy > Policy Library.

  4. On the Policy Library page, click Enable Tag Policy.

  5. In the Enable Tag Policy message, click OK.

    When you enable the Tag Policy feature, the system creates the service-linked role AliyunServiceRoleForTag. This role can resolve cross-service access issues. For more information, see Service-linked role for Tag.