Managing and controlling account tags at the Cluster level

Cloud Operation teams can sometimes be under strict regulation regarding account metadata. Turbot allows the use of tags to label clusters, resources, and accounts with important information such as cost center, environment type (i.e. prod, qa, or dev), and team that owns the account. Utilizing the policy Turbot > Tags > Account Tags Template, Cloud administrators can set and lock a specific tag template at the cluster level that all Turbot accounts inside of that cluster will inherit.

If users with Turbot/Owner permissions at the cluster level will configure this policy as Required, then users with Turbot/Owner permissions at the account level will be unable to create a new policy that overrides the one set at the cluster level. 

 

Setup Steps:

Navigate to the cluster level in Turbot and select the Policies tab. Then, search for "account tags template".  The screenshot below is from version 3.52.0.  Here, you need the second (lower one):

Selecting that policy (left mouse-click) will bring up the following screen:

In the above example, the exception is already set. This allows cloud administrators to set a tagging template at the Turbot level. Users who do not have Turbot/Owner at the Turbot level will not be able to set the exception - exactly how users with Turbot/Owner at the account level cannot set an exception to override the policy required at the cluster level.

The policy is formatted as a YAML document. The above example also shows that account metadata can be used in the tagging template. Account metadata can be found using the following API request, returning a JSON response:

GET

<turbot url>/api/v3/accounts/<account id>

 

Account owners will still be able to set their own tags on the Turbot account, but the configured policy will prevent them from modifying or removing tags deemed important.

Was this article helpful?
0 out of 0 found this helpful