Elastic Container Instance (ECI) allows you to manage resources by using resource groups and manage permissions of Resource Access Management (RAM) users based on resource groups. Now, ECI supports a new authentication method for RAM users, that is, tag-based authentication.

Procedure

  1. Log on to the RAM console. In the left-side navigation pane, click Policies. On the page that appears, set Policy Type to System Policy and enter ECI in the search box.
    Click AliyunECIFullAccess. The following code appears:
      "Version": "1",
      "Statement": [
        {
          "Action": "eci:*",
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVSwitches",
            "vpc:DescribeVpcs",
            "vpc:DescribeEipAddresses"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

    The preceding code displays ECI full permissions generated by the system.

  2. On the Policies page, click Create Policy. On the page that appears, set Configuration Mode to Script, enter ECI in the search box, and then select AliyunECIFullAccess. The relevant code appears. Modify the code as shown in the following example:
    {
      "Version": "1",
      "Statement": [
        {
          "Action": "eci:*",
          "Resource": "*",
          "Effect": "Allow",
          "Condition": {
            "StringEquals": {
              "eci:tag/name": "liumi",
              "eci:tag/env": "test"
            }
          }
        },
        {
          "Action": [
            "ecs:DescribeSecurityGroups"
          ],
          "Resource": "*",
          "Effect": "Allow"
        },
        {
          "Action": [
            "vpc:DescribeVSwitches",
            "vpc:DescribeVpcs",
            "vpc:DescribeEipAddresses"
          ],
          "Resource": "*",
          "Effect": "Allow"
        }
      ]
    }

    The preceding code adds tag conditions to the AliyunECIFullAccess policy. The RAM user to which this policy is applied can only manage the resources that meet the following requirements: name=liumi and env=test. You can change the tags based on your business requirements. After the authorization policy is applied, the RAM user has full permissions to the ECI resources that have the specified tags. The RAM user cannot manage the ECI resources that have tags other than those specified.

  3. To apply the policy to a RAM user, click Users in the left-side navigation pane. Find the target RAM user that you want to set the tag permissions for in the list, or create a new RAM user.

    Click Add Permissions in the Actions column. In the Add Permissions pane that appears, set Select Policy to Custom Policy and select the authorization policy that you have created.

Common scenarios

Taking the RAM user in the preceding steps as an example, the expected results are as follows:

CreateContainerGroup

  • If you call the CreateContainerGroup operation and do not specify tags, the authentication fails.
  • If you call the CreateContainerGroup operation and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the CreateContainerGroup operation and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the CreateContainerGroup operation and specify tags that contain the authorized tags, the authentication succeeds.

RestartContainerGroup

  • If you call the RestartContainerGroup operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the RestartContainerGroup operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the RestartContainerGroup operation as the RAM user and specify tags that match the authorized tags, the authentication succeeds.

ExportContainerGroupTemplate

  • If you call the ExportContainerGroupTemplate operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the ExportContainerGroupTemplate operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the ExportContainerGroupTemplateoperation as the RAM user and specify tags that match the authorized tags, the authentication succeeds.

ExecContainerCommand

  • If you call the ExecContainerCommand operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the ExecContainerCommand operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the ExecContainerCommand operation as the RAM user and specify tags that match the authorized tags, the authentication succeeds.

DescribeContainerLog

  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the DescribeContainerLog operation as the RAM user and specify tags that match the authorized tags, the authentication succeeds.

DescribeContainerGroups

  • When you call the DescribeContainerGroups operation, if you do not specify tags and you specify a resource ID whose tags do not match the authorized tags, the authentication fails.
  • When you call the DescribeContainerGroups operation, if you do not specify tags and you specify a resource ID whose tags match the authorized tags, the authentication succeeds.
  • When you call the DescribeContainerGroups operation, if you specify tags that do not match the authorized tags and you do not specify a resource ID, the authentication fails.
  • When you call the DescribeContainerGroups operation, if you specify tags that match the authorized tags and you do not specify a resource ID, the authentication succeeds.
  • When you call the DescribeContainerGroups operation, if you specify both tags and a resource ID, the specified tags are used only as filtering conditions, and the tags of the resource ID are used for authentication.
  • When you call the DescribeContainerGroups operation, if you do not specify tags or a resource ID, the authentication fails even if you specify other filtering conditions. In this case, you need to specify tags in the console.
Notice Note: If the authentication fails, the operation returns an empty result instead of an error.

UpdateContainerGroup

  • When you call the UpdateContainerGroup operation, If you update an ECI whose tags do not match the authorized tags, the authentication fails.
  • When you call the UpdateContainerGroup operation, if you update an ECI whose tags match the authorized tags and you do not update the tags, the authentication succeeds.
  • When you call the UpdateContainerGroup operation, if you update an ECI whose tags match the authorized tags, you update the tags, and you have no permissions to the new tags, the authentication fails.
  • When you call the UpdateContainerGroup operation, if you update an ECI whose tags match the authorized tags, you update the tags, and you have permissions to the new tags, the authentication succeeds.

This is a complicated situation.

If you want to update tags, you must ensure that you have the permissions on the existing and updated tags. How do you ensure that you have the required permissions?

The following two examples show the possible methods.

Example 1: Add two tags to the existing permissions.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "eci:*",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "eci:tag/name": "liumi",
          "eci:tag/env": "test",
          "eci:tag/name": "liumi2",
          "eci:tag/env": "pre"
        }
      }
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "vpc:DescribeEipAddresses"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

This method is not recommended because it reduces the scope of permissions and causes tag mismatch. We recommend that you use the following method.

Example 2: Add separate permissions to the RAM user.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "eci:*",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "eci:tag/name": "liumi2",
          "eci:tag/env": "pre"
        }
      }
    },
    {
      "Action": [
        "ecs:DescribeSecurityGroups"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "vpc:DescribeEipAddresses"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}