Tag-based permissions management

Prev Next

Available in Classic and VPC

NAVER Cloud Platform allows you to control access to resources and requests to perform actions based on Condition keys. This section explains Resource Tag, a Condition key used to control access to resources, and Request Tag, a Condition key used to control action requests.

Type Resource Tag Request Tag
Purpose of use Used to allow or deny user actions on resources with specific tags Used to ensure that a specific tag key-value pair is required when creating a resource or modifying tags
Available actions Only actions where a resource can be specified are supported
  • Actions that do not target specific resources, such as View/Get ~ List, are not supported
  • Exceptionally, resource creation actions that include tag information, such as Change/create ~, are supported
  • Resource creation actions with tag information (Change/create ~)
  • Tag assignment actions (Change/tag ~ , Change/untag ~)
Permission check method Compare the tag key-value pair defined in the IAM policy with those attached to the resource to manage access permissions Compare the tag key-value pair defined in the IAM policy with those included in the permission request to manage action permissions

Resource access control using Resource Tag

The following policy uses the ncp:resourceTag condition key to define permissions such that only policies with a specific tag [key:value] can be deleted.
subaccount_resourcetag_ko

Controlling action execution requests using Request Tag

The following policy uses the ncp:requestTag condition key to define permissions such that only Sub Account with a specific tag [key:value] can be created.
subaccount_requesttag_ko

A Sub Account granted this policy can only create Sub Account with the [project:unicorn] tag. If Sub Account is created without specifying a tag, or with a tag other than [project:unicorn], the operation will be denied. In the case of resource creation actions that include tag information, you can also use the ncp:requestTag condition key to ensure that only Sub Accounts with a specific tag [key:value] can be created.

Note
  • For more information on the condition keys that can be allocated by action, see Sub Account permissions management on each service.
  • If Sub Account is granted a policy with a condition key that is not supported for the action, the action will be denied.
  • For more information on operators defined by NAVER Cloud Platform, see Condition keys and operator information.

Permission check logic when multiple keys or values are included

CASE Permission check logic
When multiple values are specified within a single(1) condition key The logical operator or is applied, and permission is granted if at least 1 of the tag key-value pairs defined in the policy matches.
When multiple tag values are specified with a negation operator within a single (1) condition key The logical operator nor is applied, and permission is granted only if none of the tag key-value pairs defined in the policy match.
When multiple condition keys are used within a single (1) Condition The logical operator AND is applied, and permission is granted only if all condition keys match.