All Products
Search
Document Center

Perform tag-based authentication

Last Updated: Aug 15, 2019

Elastic Container Instance (ECI) allows you to manage resources by using resource groups. ECI also supports resource group authentication for RAM user accounts. Now, ECI supports a new authentication method for RAM user accounts: tag-based authentication.

How to perform tag-based authentication?

  1. Log on to the RAM console. In the left-side navigation pane, click Policies. On the page that appears, click System Policy, and enter ECI in the search box.

Screenshot 2019-05-08 2.23.23 PM.png Click AliyunECIFullAccess. Content similar to the following content is displayed:

  1. "Version": "1",
  2. "Statement": [
  3. {
  4. "Action": "eci:*",
  5. "Resource": "*",
  6. "Effect": "Allow"
  7. },
  8. {
  9. "Action": [
  10. "ecs:DescribeSecurityGroups"
  11. ],
  12. "Resource": "*",
  13. "Effect": "Allow"
  14. },
  15. {
  16. "Action": [
  17. "vpc:DescribeVSwitches",
  18. "vpc:DescribeVpcs",
  19. "vpc:DescribeEipAddresses"
  20. ],
  21. "Resource": "*",
  22. "Effect": "Allow"
  23. }
  24. ]
  25. }

The preceding code displays ECI full permissions generated by the system.

  1. Click Create Authorization Policy and select AliyunECIFullAccess as the template. Modify the policy as shown in the following example:
  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "eci:*",
  6. "Resource": "*",
  7. "Effect": "Allow",
  8. "Condition": {
  9. "StringEquals": {
  10. "eci:tag/name": "liumi",
  11. "eci:tag/env": "test"
  12. }
  13. }
  14. },
  15. {
  16. "Action": [
  17. "ecs:DescribeSecurityGroups"
  18. ],
  19. "Resource": "*",
  20. "Effect": "Allow"
  21. },
  22. {
  23. "Action": [
  24. "vpc:DescribeVSwitches",
  25. "vpc:DescribeVpcs",
  26. "vpc:DescribeEipAddresses"
  27. ],
  28. "Resource": "*",
  29. "Effect": "Allow"
  30. }
  31. ]
  32. }

The preceding code adds tag conditions to the AliyunECIFullAccess policy. The RAM user to which this policy is applied can only manage the resources that meet the following requirements: name=liumi and env=test. You can change the tags based on your usage needs. After the authorization policy is applied, the RAM user account has full permissions to the ECI resources that have the specified tags. The account cannot manage the ECI resources that have other tags than those specified.

  1. To apply the policy to a RAM user account, click Users in the left-side navigation pane. Select a RAM user account that you want to set the tag permissions from the list, or create a new user.

Screenshot 2019-05-08 1.59.58 PM.png

In the left-side navigation pane, click User Authorization Policies. Click Edit Authorization Policy in the upper-right corner. In the dialog box that appears, select the created tag policy.

Scenarios:

Taking the RAM user account in the preceding steps as an example, the expected results are as follows:

CreateContainerGroup

  • If you call the CreateContainerGroup operation and do not specify tags, the authentication fails.
  • If you call the CreateContainerGroup operation and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the CreateContainerGroup operation and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the CreateContainerGroup operation and specify tags that contain the authorized tags, the authentication succeeds.

RestartContainerGroup

  • If you call the RestartContainerGroup operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the RestartContainerGroup operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the RestartContainerGroup operation by using the RAM user account and specify tags that match the authorized tags, the authentication succeeds.

ExportContainerGroupTemplate

  • If you call the ExportContainerGroupTemplate operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the ExportContainerGroupTemplate operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the ExportContainerGroupTemplate operation by using the RAM user account and specify tags that match the authorized tags, the authentication succeeds.

ExecContainerCommand

  • If you call the ExecContainerCommand operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the ExecContainerCommand operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the ExecContainerCommand operation by using the RAM user account and specify tags that match the authorized tags, the authentication succeeds.

DescribeContainerLog

  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account and specify tags that do not match the authorized tags, the authentication fails.
  • If you call the DescribeContainerLog operation by using the Alibaba Cloud account and specify tags that match the authorized tags, the authentication succeeds.
  • If you call the DescribeContainerLog operation by using the RAM user account and specify tags that match the authorized tags, the authentication succeeds.

DescribeContainerGroups

  • If you do not specify tags and you specify a resource ID whose tags do not match the authorized tags, the authentication fails.
  • If you do not specify tags and you specify a resource ID whose tags match the authorized tags, the authentication succeeds.
  • If you specify tags that do not match the authorized tags and you do not specify a resource ID, the authentication fails.
  • If you specify tags that match the authorized tags and you do not specify a resource ID, the authentication succeeds.
  • If you specify both tags and a resource ID, the specified tags are used only as filtering conditions and the tags of the resource ID are used for authentication.
  • If you do not specify tags or a resource ID, the authentication fails even if you specify other filtering conditions. In this case, you need to specify tags in the console.

Note: If the authentication fails, the operation returns an empty result instead of an error.

UpdateContainerGroup

  • If you update container group whose tags do not match the authorized tags, the authentication fails.
  • If you update container group whose tags match the authorized tags and you do not update tags of the ECI, the authentication succeeds.
  • If you update container group whose tags match the authorized tags, you update tags of the ECI, and you have no permissions to the new tags, the authentication fails.
  • If you update container group whose tags match the authorized tags, you update tags of the ECI, and you have permissions to the new tags, the authentication succeeds.

This is a complicated situation.

If you want to update tags, you must ensure that you have the permissions on the existing and updated tags. How to ensure that you have permission on the existing and updated tags?

The following two examples show the possible operations.

Example 1: add two tags to the existing permissions.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "eci:*",
  6. "Resource": "*",
  7. "Effect": "Allow",
  8. "Condition": {
  9. "StringEquals": {
  10. "eci:tag/name": "liumi",
  11. "eci:tag/env": "test",
  12. "eci:tag/name": "liumi2",
  13. "eci:tag/env": "pre"
  14. }
  15. }
  16. },
  17. {
  18. "Action": [
  19. "ecs:DescribeSecurityGroups"
  20. ],
  21. "Resource": "*",
  22. "Effect": "Allow"
  23. },
  24. {
  25. "Action": [
  26. "vpc:DescribeVSwitches",
  27. "vpc:DescribeVpcs",
  28. "vpc:DescribeEipAddresses"
  29. ],
  30. "Resource": "*",
  31. "Effect": "Allow"
  32. }
  33. ]
  34. }

This operation is not recommended, as it reduces the scope of permissions and causes tag mismatch. We recommend that you use the following operation.

Example 2: add separate permissions to the RAM user account.

  1. {
  2. "Version": "1",
  3. "Statement": [
  4. {
  5. "Action": "eci:*",
  6. "Resource": "*",
  7. "Effect": "Allow",
  8. "Condition": {
  9. "StringEquals": {
  10. "eci:tag/name": "liumi2",
  11. "eci:tag/env": "pre"
  12. }
  13. }
  14. },
  15. {
  16. "Action": [
  17. "ecs:DescribeSecurityGroups"
  18. ],
  19. "Resource": "*",
  20. "Effect": "Allow"
  21. },
  22. {
  23. "Action": [
  24. "vpc:DescribeVSwitches",
  25. "vpc:DescribeVpcs",
  26. "vpc:DescribeEipAddresses"
  27. ],
  28. "Resource": "*",
  29. "Effect": "Allow"
  30. }
  31. ]
  32. }