All Products
Search
Document Center

Use tags to control the permissions of a RAM user

Last Updated: Aug 09, 2021

After you add tags to elastic container instances, you can group the instances and implement access control over them based on the tags. This topic describes how to use tags to restrict the operation permissions of a Resource Access Management (RAM) user to the instances that have specific tags.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

By default, RAM users to whom the AliyunECIFullAccess system policy is attached can call API operations to perform operations on all elastic container instances. If you want a RAM user to be able to perform operations only on specific elastic container instances, you can create and attach a custom policy to restrict the operation permissions of the RAM user to the elastic container instances that have specified tags.

Procedure

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. Configure the parameters to create a custom policy.

    1. Enter a name for the custom policy.

    2. Set Configuration Mode to Script.

    3. Import the AliyunECIFullAccess policy and modify the policy based on your needs.

      For example, you can add tags as conditions to restrict the operation permissions to the elastic containers instances that have the specified tags. Sample policy:

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": "eci:*",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                    "StringEquals": {
                    "eci:tag/name": "eci",
                    "eci:tag/env": "test"
                  }
            }
              },
              {
                  "Action": [
                      "ecs:DescribeSecurityGroups"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "vpc:DescribeVSwitches",
                      "vpc:DescribeVpcs",
                      "vpc:DescribeEipAddresses"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": "eci.aliyuncs.com"
                      }
                  }
              }
          ]
      }
      Note

      You can add one or more tags. If you add multiple tags, the operation permissions are restricted to the elastic container instances that each have all the specified tags. For example, the preceding policy states that elastic container instances must have both the name:eci and env:test tags.

    4. Click OK.

  5. In the left-side navigation pane, choose Identities > Users.

  6. On the Users page, find the RAM user and click Add Permissions in the Actions column.

  7. In the Add Permissions panel, select the custom policy that you created and click OK.

    After the policy is attached to the RAM user, the user can perform operations only on the elastic container instances that have the tags specified in the policy.

Check whether the custom policy has taken effect

If the custom policy has taken effect, different results occur when you call the following API operations as the RAM user.

  • CreateContainerGroup

    • When you call the CreateContainerGroup operation, the authentication fails if the request contains no tags or if the tags contained in the request exclude those specified in the custom policy.

    • When you call the CreateContainerGroup operation, the authentication succeeds if the tags contained in the request fully match or include those specified in the custom policy.

  • RestartContainerGroup, ExecContainerCommand, or DescribeContainerLog

    • When you call the RestartContainerGroup, ExecContainerCommand, or DescribeContainerLog operation, the authentication fails if the tags contained in the request do not match those specified in the custom policy.

    • When you call the RestartContainerGroup, ExecContainerCommand, or DescribeContainerLog operation, the authentication succeeds if the tags contained in the request match those specified in the custom policy.

  • DescribeContainerGroups

    • If you specify instance IDs but no tags in your request to call the DescribeContainerGroups operation, the request is authenticated based on the tags of the specified instances. If the tags of the instances match those specified in the custom policy, the authentication succeeds. If the tags of the instance do not match those specified in the custom policy, the authentication fails.

    • If you specify tags but no instance IDs in your request to call the DescribeContainerGroups operation, the request is authenticated based on the specified tags. If the specified tags match those specified in the custom policy, the authentication succeeds. If the specified tags do not match those specified in the custom policy, the authentication fails.

    • If you specify tags and instance IDs in your request to call the DescribeContainerGroups operation, the request is authenticated based on the tags of the specified instances and the specified tags are used only as filter conditions.

    • If you do not specify tags or instance IDs in your request to call the DescribeContainerGroups operation, the authentication fails.

    Note

    If the authentication fails, the operation returns an empty response instead of an error.

  • UpdateContainerGroup

    • When you call the UpdateContainerGroup operation, the authentication fails if the tags contained in the request do not match those specified in the custom policy.

    • When you call the UpdateContainerGroup operation to update instance information other than tags, the authentication succeeds if the tags contained in the request match those specified in the custom policy.

    • When you call the UpdateContainerGroup operation to update instance tags, the request is authenticated based on the specified new tags. If the new tags match the tags specified in a custom policy of the RAM user, the authentication succeeds. If the new tags do not match the tags specified in all custom policies of the RAM user, the authentication fails.

      Note

      If you want to update instance tags, make sure that the RAM user have permissions on both the original and new tags. You must attach one custom policy containing the original tags and another custom policy containing the new tags to the RAM user.