Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple RAM users within an Alibaba Cloud account. This topic describes how to use RAM policies to control access from RAM users to Alibaba Cloud resources. For example, you can authorize a RAM user to access only one Apsara File Storage NAS file system.
Warning If you grant permissions to RAM users, security risks may occur. To minimize security
risks, we recommend that you grant the least permissions to each RAM user.
Procedure
- Create a RAM user. For more information, see Create a RAM user.
- Select the permission policies that you want to attach to the RAM user.
Permission policies consist of system policies and custom policies.
- System policies: the default permission policies that are provided by Alibaba Cloud. The following
system policies are commonly used in Apsara File Storage NAS:
- AliyunNASFullAccess: authorizes a RAM user to manage NAS file systems
- AliyunNASReadOnlyAccess: authorizes a RAM user to view NAS file systems
- Custom policies: the permission policies that are customized. Custom policies allow you to manage
permissions in a more fine-grained and flexible manner.
You can create custom policies by writing scripts based on your business requirements. The following examples are used for reference. For more information, see Create a custom policy.
- System policies: the default permission policies that are provided by Alibaba Cloud. The following
system policies are commonly used in Apsara File Storage NAS:
- Grant permissions to the RAM user.
Attach the permission policies selected in Step 2. For more information, see Grant permissions to a RAM user.
Example 1: Grant a RAM user the permissions on a file system
- The following sample code shows how to grant a RAM user full access permissions on
the file system whose ID is
07d****294:Note You cannot grant a RAM user the permissions to view a single file system. If you want to grant a RAM user full access permissions on a single file system, grant the RAM user the permissions to view all file systems. Then, grant the RAM user the permissions to delete and modify a single file system.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:*" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] }, { "Effect": "Allow", "Action": "nas:CreateMountTarget", "Resource": [ "acs:vpc:*:*:vswitch/*" ] }, { "Effect": "Allow", "Action": "cms:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "nas:DescribeFileSystems", "Resource": "*" } ], "Version": "1" } - The following sample code shows how to authorize a RAM user to modify the file system
whose ID is
07d****294:{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:DescribeFileSystems", "nas:ModifyFileSystem" ], "Resource": "acs:nas:*:*:filesystem/07d****294" }], "Version": "1" } - The following sample code shows how to authorize the RAM user to view all the file
systems:
{ "Statement": [{ "Effect": "Allow", "Action": "nas:DescribeFileSystems", "Resource": "*" }], "Version": "1" }
Example 2: Grant a RAM user the permissions on the mount targets of a file system
The following sample code shows how to grant a RAM user full access permissions on
the mount targets of the file system whose ID is
07d****294.{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:DeleteMountTarget"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294",
"acs:vpc:*:*:vswitch/*"
]
}],
"Version": "1"
}Example 3: Grant a RAM user the permissions on the permission groups of a file system
The following sample code shows how to grant a RAM user full access permissions on
the permission groups of a file system:
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:DeleteAccessGroup",
"nas:CreateAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:DeleteAccessRule"
],
"Resource": "acs:nas:*:*:accessgroup/*"
}],
"Version": "1"
}Example 4: Grant a RAM user the permissions to view the monitoring metrics of a file system
The following sample code shows how to authorize a RAM user to view the monitoring
metrics of a file system:
{
"Statement": [{
"Effect": "Allow",
"Action": "cms:Describe*",
"Resource": "*"
}],
"Version": "1"
}Authentication list of custom policies
You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you set Configuration Mode to Script, you must set the parameters in the Policy Document section based on the JSON template.
For more information about the values of the Action and Resource parameters, see the
following authentication list. For more information, see Policy elements.
| API | Action | Resource | Description | |
|---|---|---|---|---|
| File system | CreateFileSystem | nas:CreateFileSystem | acs:nas:<region>:<account-id>:filesystem/* | Creates a file system. |
| DeleteFileSystem | nas:DeleteFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a file system. | |
| ModifyFileSystem | nas:ModifyFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a file system. | |
| DescribeFileSystems | nas:DescribeFileSystems | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries file systems. | |
| Mount target | CreateMountTarget | nas:CreateMountTarget |
|
Creates a mount target. |
| DeleteMountTarget | nas:DeleteMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a mount target. | |
| ModifyMountTarget | nas:ModifyMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a mount target. | |
| DescribeMountTargets | nas:DescribeMountTargets | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries the mount targets of a file system. | |
| Permission group | CreateAccessGroup | nas:CreateAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a permission group. |
| DeleteAccessGroup | nas:DeleteAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a permission group. | |
| ModifyAccessGroup | nas:ModifyAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a permission group. | |
| DescribeAccessGroups | nas:DescribeAccessGroups | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the permission groups of a file system. | |
| CreateAccessRule | nas:CreateAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a rule for a permission group. | |
| DeleteAccessRule | nas:DeleteAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a rule from a permission group. | |
| ModifyAccessRule | nas:ModifyAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a rule of a permission group. | |
| DescribeAccessRule | nas:DescribeAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the rules of a permission group. | |
| Snapshots for Extreme NAS file systems | ApplyAutoSnapshotPolicy | nas:ApplyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Applies an automatic snapshot policy to one or more file systems. |
| CancelAutoSnapshotPolicy | nas:CancelAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Removes automatic snapshot policies from one or more file systems. | |
| CreateAutoSnapshotPolicy | nas:CreateAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Creates an automatic snapshot policy. | |
| DeleteAutoSnapshotPolicy | nas:DeleteAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes an automatic snapshot policy. | |
| ModifyAutoSnapshotPolicy | nas:ModifyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Modifies an automatic snapshot policy. | |
| DescribeAutoSnapshotPolicies | nas:DescribeAutoSnapshotPolicies | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot policies. | |
| CreateSnapshot | nas:CreateSnapshot | acs:nas:<region>:<account-id>:snapshot/* | Creates a snapshot. | |
| DeleteSnapshot | nas:DeleteSnapshot | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes a specified snapshot. | |
| DescribeAutoSnapshotTasks | nas:DescribeAutoSnapshotTasks | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot tasks. | |
| DescribeSnapshots | nas:DescribeSnapshots | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries all the snapshots of a file system. | |
| ResetFileSystem | nas:ResetFileSystem | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Rolls back a file system from a snapshot. | |
| Lifecycle management | CreateLifecyclePolicy | nas:CreateLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Creates a lifecycle management policy. |
| ModifyLifecyclePolicy | nas:ModifyLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Modifies a lifecycle management policy. | |
| DeleteLifecyclePolicy | nas:DeleteLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Deletes a lifecycle management policy. | |
| DescribeLifecyclePolicies | nas:DescribeLifecyclePolicies | acs:nas:<region>:<account-id>:lifecyclepolicy/* | Queries the lifecycle management policies. | |