All Products
Search
Document Center

Manage resource groups

Last Updated: Aug 15, 2019

Resource groups

A resource group is a set of resources owned by end users. You can use resource groups to manage resources in Alibaba Cloud services such as ECS, RDS, SLB, and ECI.

With resource groups, you can divide resources based on their purposes and manage user permissions.

For example, a company purchases cloud resources by using an Alibaba Cloud account. Some of these resources are used for test environments and some are used for production environments. In this case, resources for different purposes can be added to separate resource groups.

This topic describes how to use ECI resource groups to manage the permissions of RAM user accounts.

Benefits

If you do not use resource groups, you can use an Alibaba Cloud account to grant all ECI-related permissions to RAM user accounts. These include the create, modify, and delete permissions on all container groups. If you isolate the resources of each RAM user account under the Alibaba Cloud account, a conflict may occur. However, if you use resource groups, you can restrict the permissions of a RAM user account to a single resource group. The RAM user can only manage resources in the resource group, but not resources outside the resource group.

API authentication instructions

CreateContainerGroup

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. You can add resources to any resource groups under the account. If you do not specify a resource group ID, resources are added to the default resource group by default.

RAM user account

If the permissions of a RAM user account are restricted to a single resource group, and you want to create resources by using the RAM user account, you must specify the resource group ID when creating resources. However, if you want to grant permissions on resources in the default resource group, you do not have to specify the resource group ID. In this case, the created resources are added to the default resource group. If you specify the resource group ID, the created resources are added to the specified resource group.

If the permissions of the RAM user account are not restricted to a resource group, you can add the resources to the default resource group.

DescribeContainerGroups

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. If you call the DescribeContainerGroups operation by using an Alibaba Cloud account, the information of all resources are returned by default. The operation is not restricted by resource groups.

However, if you specify a resource group ID as a filtering condition, the information of all matching resources in the resource group are returned. Only Alibaba Cloud accounts have such permission.

RAM user account

If the permissions of a RAM user account are restricted to a resource group, you must specify the resource group when you query resources. Otherwise, the authentication fails. The query will not be performed until the resource group is verified. The resources whose information is returned belong to the specified resource group.

DescribeContainerLog

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. You can query the container logs of any container group under the account.

RAM user account

If you call the DescribeContainerLog operation by using a RAM user account, you are not required to specify the resource group ID. If the requested resource has joined any resource group, the system authenticates whether the account has permissions on the resource group. You can proceed with the operation only if the authentication succeeds. This prevents unauthorized operations.

DeleteContainerGroup

Alibaba Cloud account

An Alibaba Cloud account has the highest level of permissions. You can delete any resources under the account.

RAM user account

If you call the DeleteContainerGroup operation by using a RAM user account, you are not required to specify the resource group ID. If the requested resource has joined any resource group, the system authenticates whether the account has permissions on the resource group. You can proceed with the operation only if the authentication succeeds. This prevents unauthorized operations.

Resource lifecycle management

ECI does not allow users to modify resource groups. Resources can be added to the specified resource group or default resource group only when they are created. When resources are deleted, they are automatically removed from the resource group.

Scenarios:

The following three resource groups exist under an Alibaba Cloud account: default resource group, test_a, and test_b.

The following two RAM user accounts exist under the Alibaba Cloud account: test and test2. The former has full permissions to only the test_a resource group. The latter has full permissions to only the default resource group.

CreateContainerGroup

Alibaba Cloud account:

  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and do not specify the resource group ID, the created ECI is added to the default resource group.
  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and specify a valid resource group ID, the created ECI is added to the specified resource group.
  • If you call the CreateContainerGroup operation by using the Alibaba Cloud account and specify an invalid resource group ID, the created ECI is added to the default resource group.

RAM user account:

  • If you call the CreateContainerGroup operation by using the test account and do not specify the resource group ID, the authentication fails.
  • If you call the CreateContainerGroup operation by using the test account and specify an invalid resource group ID, the authentication fails.
  • If you call the CreateContainerGroup operation by using the test2 account and do not specify the resource group ID, the created ECI is added to the default resource group.
  • If you call the CreateContainerGroup operation by using the test account and specify a valid resource group ID, the created ECI is added to the specified resource group.

DescribeContainerGroups

Alibaba Cloud account:

  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and do not specify the resource group ID, the information of all resources are returned.
  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and specify a valid resource group ID, the information of the resources in the specified resource group are returned.
  • If you call the DescribeContainerGroups operation by using the Alibaba Cloud account and specify an invalid resource group ID, an empty response is returned.

RAM user account:

  • If you call the DescribeContainerGroups operation by using the test account and do not specify the resource group ID, the authentication fails.
  • If you call the DescribeContainerGroups operation by using the test account and specify an invalid resource group ID, the authentication fails.
  • If you call the DescribeContainerGroups operation by using the test account and specify a valid resource group ID, the information of resources in the specified resource group are returned.
  • If you call the DescribeContainerGroups operation by using the test account and specify a valid resource group ID, but the requested resource is not in the resource group, an empty response is returned.

DescribeContainerLog

Alibaba Cloud account:

  • You can retrieve the logs of any resources in the default resource group.
  • You can retrieve the logs of any resources in the test_a resource group.

RAM user account:

  • If you call the DescribeContainerLog operation by using the test account to query resources in the resource group owned by the test account, the authentication succeeds.
  • If you call the DescribeContainerLog operation by using the test account to query resources in a resource group that is not owned by the test account, the authentication fails.

DeleteContainerGroup

Alibaba Cloud account:

  • You can delete any resources in the default resource group.
  • You can delete any resources in the test_a resource group.

RAM user account:

  • If you call the DeleteContainerGroup operation by using the test account to delete resources in the resource group owned by the test account, the authentication succeeds.
  • If you call the DeleteContainerGroup operation by using the test account to delete resources in a resource group that is not owned by the test account, the authentication fails.