{"componentChunkName":"component---src-templates-acg-portal-intl-template-tsx","path":"/qlmg81yao-intl-en","result":{"data":{"markdownRemark":{"html":"<p>After binding cloud resource tags to a CCR enterprise edition, you can use tags to allocate and control access permissions for instances. This document explains how IAM users’ permissions can be controlled using tags to grant different permissions to access various CCR instances.</p>\n<h2 id=\"background\"><a href=\"#background\" aria-label=\"background permalink\" class=\"anchor\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Background</h2>\n<p>Tags are a way to categorize cloud resources for better management. IAM can manage user identities and control access permissions for cloud resources based on policies. By combining tags with IAM and using tags as conditions in permission policies, you can achieve more precise permission management for cloud resources.</p>\n<h2 id=\"operation-steps\"><a href=\"#operation-steps\" aria-label=\"operation steps permalink\" class=\"anchor\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Operation steps</h2>\n<p>This step involves using the Baidu AI Cloud root account to create a custom permission policy, UseTagAccessPolicy (which restricts IAM users to accessing only CCR instances with the specified tag <code>test: ccr</code>), and then granting this custom permission policy (UseTagAccessPolicy) to the IAM user.</p>\n<ol>\n<li>Navigate to the <a href=\"https://console.bce.baidu.com/iam/#/iam/overview\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Identity and Access Management</a> console.</li>\n<li>Click <strong>Policy Management</strong> in the left navigation bar to enter the Permission Policy List page.</li>\n<li>\n<p>Click <strong>Create Policy</strong>, and then select <strong>Create by Tag</strong> in the system pop-up box to enter the Create Permission Policy by Tag page.</p>\n<p><img src=\"https://bce.bdstatic.com/doc/bce-doc/CCE/image_f945f2a.png\" alt=\"image.png\"></p>\n</li>\n<li>\n<p>Complete relevant configurations on the Create Permission Policy by Tag page:</p>\n<p><img src=\"https://bce.bdstatic.com/doc/bce-doc/CCR/image_1ded6dc.png\" alt=\"image.png\"></p>\n</li>\n</ol>\n<table>\n<thead>\n<tr>\n<th>ConfigMap</th>\n<th>Required/Optional</th>\n<th>Configuration</th>\n</tr>\n</thead>\n<tbody>\n<tr>\n<td>Policy name</td>\n<td>Required</td>\n<td>Custom policy name: Enter \"UseTagAccessPolicy\" here.</td>\n</tr>\n<tr>\n<td>Select tag</td>\n<td>Required</td>\n<td>Select the tag bound to the target resource; select <code>test: cce</code> here.</td>\n</tr>\n<tr>\n<td>Select service</td>\n<td>Required</td>\n<td>Select the cloud service that corresponds to the target resource. Choose \"Cloud Container Registry (CCR)\" here. The system will automatically filter all CCR instances associated with this tag.</td>\n</tr>\n<tr>\n<td>Select operation</td>\n<td>Required</td>\n<td>Specify the IAM user permissions to operate on the target resources. Choose \"Read-only Permission\" here. Multiple permissions, such as \"Operation and Maintenance Permission\" and \"Management Permission,\" can also be selected.</td>\n</tr>\n<tr>\n<td>Resource scope</td>\n<td>Required</td>\n<td>Indicate the CCR instance for which this policy will apply. The system will automatically match CCR instances from all regions associated with the selected tags.</td>\n</tr>\n</tbody>\n</table>\n\n    <div class=\"code-block-wrapper\">\n        <div class=\"code-block\">\n            <div class=\"code-block-header\">\n                <span class=\"code-block-name\">Plain Text</span>\n                <button class=\"code-copy-btn\" data-tooltip-text=\"\">\n                    <svg xmlns=\"http://www.w3.org/2000/svg\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" fill=\"none\"> <path fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M5.57894 3.45614C5.57894 3.38832 5.63392 3.33333 5.70175 3.33333H12.5439C12.6117 3.33333 12.6667 3.38832 12.6667 3.45614V10.2982C12.6667 10.3661 12.6117 10.4211 12.5439 10.4211H11.7544V5.70175C11.7544 4.89754 11.1025 4.24561 10.2982 4.24561H5.57894V3.45614ZM4.24561 4.24561V3.45614C4.24561 2.65194 4.89754 2 5.70175 2H12.5439C13.3481 2 14 2.65194 14 3.45614V10.2982C14 11.1025 13.3481 11.7544 12.5439 11.7544H11.7544V12.5439C11.7544 13.3481 11.1025 14 10.2982 14H3.45614C2.65194 14 2 13.3481 2 12.5439V5.70175C2 4.89754 2.65194 4.24561 3.45614 4.24561H4.24561ZM3.33333 5.70175C3.33333 5.63392 3.38832 5.57894 3.45614 5.57894H10.2982C10.3661 5.57894 10.4211 5.63392 10.4211 5.70175V12.5439C10.4211 12.6117 10.3661 12.6667 10.2982 12.6667H3.45614C3.38832 12.6667 3.33333 12.6117 3.33333 12.5439V5.70175Z\" fill=\"currentColor\"></path> </svg>\n                    Copy\n                </button>\n            </div>\n            <div class=\"code-block-content\">\n                <pre class=\"language-text\"><code><span class=\"line-number\">1</span>&gt;**Description**\n<span class=\"line-number\">2</span>&gt;\n<span class=\"line-number\">3</span>&gt;* Read-only permission: Have read-only permission for all instances associated with the selected tag.\n<span class=\"line-number\">4</span>&gt;* Operation and maintenance permission: possess the full read-write permissions for all instances associated with the selected tags, excluding instance creation, instance upgrade and renewal\n<span class=\"line-number\">5</span>&gt;* Management permission: possess the full read-write permissions for all instances associated with the selected tags\n<span class=\"line-number\">6</span>&gt;</code></pre>\n            </div>\n        </div>\n    </div>\n  \n<ol start=\"5\">\n<li>Click the <strong>OK</strong> button to complete the creation. You can view the created policy on the Permission Policy List page.</li>\n<li>Grant the custom permission policy to the target IAM user. For specific steps, refer to <a href=\"https://cloud.baidu.com/doc/IAM/s/njwvyc2zd#%E5%AD%90%E7%94%A8%E6%88%B7%E6%8E%88%E6%9D%83\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IAM User Authorization</a>.</li>\n</ol>","fields":{"slug":"qlmg81yao-intl-en","title":"Configure IAM Tag Permission Policy","date":"2025-11-03","extractedHeadings":[]},"headings":[{"value":"Background","depth":2},{"value":"Operation steps","depth":2}]}},"pageContext":{"isCreatedByStatefulCreatePages":false,"slug":"qlmg81yao-intl-en","prev":{"id":"Okx0893kx-intl-en","name":"Configure IAM Access Control","path":"Okx0893kx-intl-en","filePath":"Enterprise Edition Operation Guide/Access configuration/Configure IAM Access Control.md","seo":null,"parentIds":["9mhiwlx1n","bmhiwlx26"],"parents":[{"id":"9mhiwlx1n","documentId":"58cad04c-61e1-4f23-811c-c7da11f497db","name":"Enterprise Edition Operation Guide","repoName":"CCR","filePath":"Enterprise Edition Operation Guide","disabled":false,"path":"9mhiwlx1n","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""},{"id":"bmhiwlx26","documentId":"84b08cff-bbe1-4096-983d-0878c5637a05","name":"Access configuration","repoName":"CCR","filePath":"Enterprise Edition Operation Guide/Access configuration","disabled":false,"path":"bmhiwlx26","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""}]},"next":{"id":"hmap6dcme-intl-en","name":"Configure Robot Account","path":"hmap6dcme-intl-en","filePath":"Enterprise Edition Operation Guide/Access configuration/Configure Robot Account.md","seo":null,"parentIds":["9mhiwlx1n","bmhiwlx26"],"parents":[{"id":"9mhiwlx1n","documentId":"58cad04c-61e1-4f23-811c-c7da11f497db","name":"Enterprise Edition Operation Guide","repoName":"CCR","filePath":"Enterprise Edition Operation Guide","disabled":false,"path":"9mhiwlx1n","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""},{"id":"bmhiwlx26","documentId":"84b08cff-bbe1-4096-983d-0878c5637a05","name":"Access configuration","repoName":"CCR","filePath":"Enterprise Edition Operation Guide/Access configuration","disabled":false,"path":"bmhiwlx26","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""}]},"parents":[{"id":"9mhiwlx1n","documentId":"58cad04c-61e1-4f23-811c-c7da11f497db","name":"Enterprise Edition Operation Guide","repoName":"CCR","filePath":"Enterprise Edition Operation Guide","disabled":false,"path":"9mhiwlx1n","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""},{"id":"bmhiwlx26","documentId":"84b08cff-bbe1-4096-983d-0878c5637a05","name":"Access configuration","repoName":"CCR","filePath":"Enterprise Edition Operation Guide/Access configuration","disabled":false,"path":"bmhiwlx26","lastMergeTime":null,"isApiDoc":null,"httpMethod":null,"seo":null,"sourceOrgName":null,"sourceRepoName":null,"sourceDocumentId":""}],"specificSeo":null}}}