This topic describes how to use Resource Access Management (RAM) policies to control access from RAM users to Alibaba Cloud resources. You can create and manage multiple RAM users of an Alibaba Cloud account. To grant different permissions to the RAM users, you can attach different policies to the RAM users. This allows the RAM users to access different Alibaba Cloud resources. You can use the AccessKey pair of a RAM user to prevent the leakage of the AccessKey pair of the Alibaba Cloud account. You can also grant the least permissions to each RAM user to reduce security risks.
Prerequisites
Background information
- System policies: the default permission policies that are provided by Alibaba Cloud. The following
system policies are commonly used in Apsara File Storage NAS. You can attach the policies
to the RAM users based on your business requirements.
- AliyunNASFullAccess: authorizes a RAM user to manage NAS file systems
- AliyunNASReadOnlyAccess: authorizes a RAM user to view NAS file systems
- Custom policies: the permission policies that are customized. The custom policies allow you to perform more fine-grained and flexible access control. For more information about how to create custom policies, see Create a custom policy.
Attach a custom policy to a RAM user
By default, a RAM user or group has no permissions. You must grant permissions to the RAM user or group before the RAM user or group can be used to perform operations in the console or call API operations.
Example 1: Grant the permissions on a file system to the RAM user
- The following sample code shows how to authorize the RAM user to modify a file system:
{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:DescribeFileSystems", "nas:ModifyFileSystem" ], "Resource": "acs:nas:*:*:filesystem/07d0b4****" }], "Version": "1" }
- The following sample code shows how to authorize the RAM user to view all the file
systems:
{ "Statement": [{ "Effect": "Allow", "Action": "nas:DescribeFileSystems", "Resource": "*" }], "Version": "1" }
- The following sample code shows how to grant the RAM user full access to a file system:
{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:*" ], "Resource": [ "acs:nas:*:*:filesystem/07d0b4****" ] }, { "Effect": "Allow", "Action": "nas:CreateMountTarget", "Resource": [ "acs:vpc:*:*:vswitch/*" ] }, { "Effect": "Allow", "Action": "cms:Describe*", "Resource": "*" } ], "Version": "1" }
Example 2: Grant the permissions on the mount targets of a file system to the RAM user
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:DeleteMountTarget"
],
"Resource": [
"acs:nas:*:*:filesystem/07d0b4****",
"acs:vpc:*:*:vswitch/*"
]
}],
"Version": "1"
}
Example 3: Grant the permissions on the permission groups of a file system to the RAM user
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:DeleteAccessGroup",
"nas:CreateAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:DeleteAccessRule"
],
"Resource": "acs:nas:*:*:accessgroup/*"
}],
"Version": "1"
}
Example 4: Grant the permissions to view the metrics of a file system to the RAM user
{
"Statement": [{
"Effect": "Allow",
"Action": "cms:Describe*",
"Resource": "*"
}],
"Version": "1"
}
Authentication list
API | Action | Resource | Description | |
---|---|---|---|---|
File system | CreateFileSystem | nas:CreateFileSystem | acs:nas:<region>:<account-id>:filesystem/* | Creates a file system. |
DeleteFileSystem | nas:DeleteFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a file system. | |
ModifyFileSystem | nas:ModifyFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a file system. | |
DescribeFileSystems | nas:DescribeFileSystems | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries file systems. | |
Mount target | CreateMountTarget | nas:CreateMountTarget |
|
Creates a mount target. |
DeleteMountTarget | nas:DeleteMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a mount target | |
ModifyMountTarget | nas:ModifyMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a mount target. | |
DescribeMountTargets | nas:DescribeMountTargets | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries the mount targets of a file system. | |
Permission group | CreateAccessGroup | nas:CreateAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a permission group. |
DeleteAccessGroup | nas:DeleteAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a permission group. | |
ModifyAccessGroup | nas:ModifyAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a permission group. | |
DescribeAccessGroups | nas:DescribeAccessGroups | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the permission groups of a file system. | |
CreateAccessRule | nas:CreateAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a rule. | |
DeleteAccessRule | nas:DeleteAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a rule. | |
ModifyAccessRule | nas:ModifyAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a rule. | |
DescribeAccessRule | nas:DescribeAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the rules of a permission group. | |
Snapshots for Extreme NAS file systems | ApplyAutoSnapshotPolicy | nas:ApplyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Applies an automatic snapshot policy to one or more file systems. |
CancelAutoSnapshotPolicy | nas:CancelAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Removes automatic snapshot policies from file systems. | |
CreateAutoSnapshotPolicy | nas:CreateAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Creates an automatic snapshot policy. | |
DeleteAutoSnapshotPolicy | nas:DeleteAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes an automatic snapshot policy. | |
ModifyAutoSnapshotPolicy | nas:ModifyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Modifies an automatic snapshot policy. | |
DescribeAutoSnapshotPolicies | nas:DescribeAutoSnapshotPolicies | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot policies. | |
CreateSnapshot | nas:CreateSnapshot | acs:nas:<region>:<account-id>:snapshot/* | Creates a snapshot. | |
DeleteSnapshot | nas:DeleteSnapshot | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes a snapshot. | |
DescribeAutoSnapshotTasks | nas:DescribeAutoSnapshotTasks | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot tasks. | |
DescribeSnapshots | nas:DescribeSnapshots | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries all snapshots of a file system. | |
ResetFileSystem | nas:ResetFileSystem | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Restores a file system from a snapshot. | |
Lifecycle management | CreateLifecyclePolicy | nas:CreateLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Creates a lifecycle management policy. |
ModifyLifecyclePolicy | nas:ModifyLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Modifies a lifecycle management policy. | |
DeleteLifecyclePolicy | nas:DeleteLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Deletes a lifecycle management policy. | |
DescribeLifecyclePolicies | nas:DescribeLifecyclePolicies | acs:nas:<region>:<account-id>:lifecyclepolicy/* | Queries the lifecycle management policies. |