Resource group

A resource group is a set of resources owned by end users. You can use resource groups to manage resources in Alibaba Cloud services such as Elastic Compute Service (ECS), ApsaraDB for RDS, Server Load Balancer (SLB), and Elastic Container Instance (ECI).

With resource groups, you can divide resources based on their purposes and manage user permissions.

For example, a company purchases cloud resources by using an Alibaba Cloud account. Some of these resources are used for test environments and some are used for production environments. In this case, resources for different purposes can be added to separate resource groups.

This topic describes how to use ECI resource groups to manage the permissions of RAM users.

Benefits

If you do not use resource groups, you can use an Alibaba Cloud account to grant all ECI-related permissions to RAM users. These include the create, modify, and delete permissions on all ECIs under the Alibaba Cloud account. In this case, a conflict may occur because the resources of each RAM user may need to be isolated. However, if you use resource groups, you can restrict the permissions of a RAM user to a single resource group. The RAM user can only manage resources in the resource group, but not resources outside the resource group.

Authentication rules for API operations

CreateContainerGroup

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. If you call the CreateContainerGroup operation by using an Alibaba Cloud account, you can create an ECI and add it to any resource group under the account. If you do not specify a resource group ID, the newly created ECI is added to the default resource group by default.

RAM user

If the permissions of a RAM user are restricted to a single resource group, and you want to create an ECI as the RAM user, you must specify the resource group ID when creating the ECI. However, if the resource group that the RAM user is restricted to use is the default resource group, you do not need to specify the resource group ID. In this case, the created ECI is added to the default resource group. If you specify a resource group ID, the system verifies the resource group ID.

If the permissions of the RAM user are not restricted to a resource group, you can add the ECI to the default resource group.

DescribeContainerGroups

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. If you call the DescribeContainerGroups operation by using an Alibaba Cloud account, the information about all ECIs under the account is returned by default. The operation is not restricted by resource groups.

However, if you specify a resource group ID as a filtering condition, the information about all matching ECIs in the resource group is returned. Only Alibaba Cloud accounts have such permission.

RAM user

If the permissions of a RAM user are restricted to a resource group, you must specify the resource group when you query ECIs. Otherwise, the authentication fails. The query will not be performed until the resource group is verified. The ECIs whose information is returned belong to the specified resource group.

DescribeContainerLog

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. If you call the DescribeContainerLog operation by using an Alibaba Cloud account, you can query the container logs of any ECI under the account.

RAM user

If you call the DescribeContainerLog operation as a RAM user, you are not required to specify the resource group ID. If the requested ECI is under any resource group, the system checks whether the RAM user has permissions on the resource group. You can proceed with the operation only if the authentication succeeds. This prevents unauthorized operations.

DeleteContainerGroup

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. If you call the DeleteContainerGroup operation by using an Alibaba Cloud account, you can delete any ECI under the account.

RAM user

If you call the DeleteContainerGroup operation as a RAM user, you are not required to specify the resource group ID. If the requested ECI is under any resource group, the system checks whether the RAM user has permissions on the resource group. You can proceed with the operation only if the authentication succeeds. This prevents unauthorized operations.

Resource lifecycle management

ECI does not allow users to modify resource groups. Resources can be added to the specified resource group or default resource group only when they are created. When resources are deleted, they are automatically removed from the resource group.

Common scenarios

Assume that the following three resource groups exist under an Alibaba Cloud account: default resource group, test_a, and test_b.

The following two RAM users exist under the Alibaba Cloud account: test and test2. The former has full permissions to the test_a resource group. The latter has full permissions to the default resource group.

CreateContainerGroup

Alibaba Cloud account

  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and do not specify the resource group ID, the created ECI is added to the default resource group.
  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and specify a valid resource group ID, the created ECI is added to the specified resource group.
  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and specify an invalid resource group ID, the created ECI is added to the default resource group.

RAM user

  • If you call the CreateContainerGroup operation as the test RAM user and do not specify the resource group ID, the authentication fails.
  • If you call the CreateContainerGroup operation as the test RAM user and specify an invalid resource group ID, the authentication fails.
  • If you call the CreateContainerGroup operation as the test2 RAM user and do not specify the resource group ID, the created ECI is added to the default resource group.
  • If you call the CreateContainerGroup operation as the test RAM user and specify a valid resource group ID, the created ECI is added to the specified resource group.

DescribeContainerGroups

Alibaba Cloud account

  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and do not specify the resource group ID, the information about all ECIs under the account is returned.
  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and specify a valid resource group ID, the information about the ECIs in the specified resource group is returned.
  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and specify an invalid resource group ID, an empty response is returned.

RAM user

  • If you call the DescribeContainerGroups operation as the test RAM user and do not specify the resource group ID, the authentication fails.
  • If you call the DescribeContainerGroups operation as the test RAM user and specify an invalid resource group ID, the authentication fails.
  • If you call the DescribeContainerGroups operation as the test RAM user and specify a valid resource group ID, the information about the ECIs in the specified resource group is returned.
  • If you call the DescribeContainerGroups operation as the test RAM user and specify a valid resource group ID, but the requested ECI is not in the resource group, an empty response is returned.

DescribeContainerLog

Alibaba Cloud account

  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account, you can retrieve the container logs of any ECI in the default resource group.
  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account, you can retrieve the container logs of any ECI in the test_a resource group.

RAM user

  • If you call the DescribeContainerLog operation as the test RAM user to query the container logs of an ECI in the resource group owned by the test account, the authentication succeeds.
  • If you call the DescribeContainerLog operation as the test RAM user to query the container logs of an ECI in a resource group that is not owned by the test account, the authentication fails.

DeleteContainerGroup

Alibaba Cloud account

  • If you call the DeleteContainerGroup operation by using the Alibaba Cloud account, you can delete any ECI in the default resource group.
  • If you call the DeleteContainerGroup operation by using the Alibaba Cloud account, you can delete any ECI in the test_a resource group.

RAM user

  • If you call the DeleteContainerGroup operation as the test RAM user to delete an ECI in the resource group owned by the test RAM user, the authentication succeeds.
  • If you call the DeleteContainerGroup operation as the test RAM user to delete an ECI in a resource group that is not owned by the test RAM user, the authentication fails.