Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. RAM allows you to create and manage multiple RAM users within an Alibaba Cloud account. This topic describes how to use RAM policies to control access from RAM users to Alibaba Cloud resources. For example, you can authorize a RAM user to access only one Apsara File Storage NAS file system.
Warning When you grant permissions to RAM users, we recommend that you grant the least permissions
to each RAM user. If you grant more permissions than necessary, security risks may
occur.
Procedure
- Create a RAM user. For more information, see Create a RAM user.
- Select the permission policies that you want to grant to the RAM user.
Permission policies consist of system policies and custom policies.
- System policies: the default permission policies that are provided by Alibaba Cloud. The following
system policies are commonly used in Apsara File Storage NAS:
- AliyunNASFullAccess (not recommended): grants a RAM user full access to a NAS file system. Granting this permission to a RAM user is highly risky and is not recommended.
- AliyunNASReadOnlyAccess: grants a RAM user the read-only permission on a NAS file system.
- Custom policies: the permission policies that are customized. Custom policies allow you to manage
permissions in a more fine-grained and flexible manner.
You can create custom policies by writing scripts based on your business requirements. The following examples are used for reference. For more information, see Create a custom policy.
- System policies: the default permission policies that are provided by Alibaba Cloud. The following
system policies are commonly used in Apsara File Storage NAS:
- Grant permissions to the RAM user.
Attach the permission policies selected in Step 2. For more information, see Grant permissions to a RAM user.
Example 1: Grant a RAM user the permissions on a file system
- The following sample code shows how to grant a RAM user full access to the file system
whose ID is
07d****294.Note You cannot grant a RAM user the permissions to view a single file system. If you want to grant a RAM user full access to a single file system, grant the RAM user the permissions to view all file systems. Then, grant the RAM user the permissions to delete and modify a single file system.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:*" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] }, { "Effect": "Allow", "Action": "nas:CreateMountTarget", "Resource": [ "acs:vpc:*:*:vswitch/*" ] }, { "Effect": "Allow", "Action": "cms:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "nas:DescribeFileSystems", "Resource": "*" } ], "Version": "1" } - The following sample code shows how to grant a RAM user the permissions to modify
the file system whose ID is
07d****294.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:DescribeFileSystems", "nas:ModifyFileSystem" ], "Resource": "acs:nas:*:*:filesystem/07d****294" }], "Version": "1" } - The following sample code shows how to grant the RAM user the permissions to view
all the file systems:
{ "Statement": [{ "Effect": "Allow", "Action": "nas:DescribeFileSystems", "Resource": "*" }], "Version": "1" }
Example 2: Grant a RAM user the permissions on the mount targets of a file system
The following sample code shows how to grant a RAM user full access to the mount targets
of the file system whose ID is
07d****294. {
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateMountTarget",
"nas:DescribeMountTargets",
"nas:ModifyMountTarget",
"nas:DeleteMountTarget"
],
"Resource": [
"acs:nas:*:*:filesystem/07d****294",
"acs:vpc:*:*:vswitch/*"
]
}],
"Version": "1"
}Example 3: Grant a RAM user the permissions on the permission groups of a file system
The following sample code shows how to grant a RAM user full access to the permission
groups of a file system:
{
"Statement": [{
"Effect": "Allow",
"Action": [
"nas:CreateAccessGroup",
"nas:DescribeAccessGroups",
"nas:ModifyAccessGroup",
"nas:DeleteAccessGroup",
"nas:CreateAccessRule",
"nas:DescribeAccessRules",
"nas:ModifyAccessRule",
"nas:DeleteAccessRule"
],
"Resource": "acs:nas:*:*:accessgroup/*"
}],
"Version": "1"
}Example 4: Grant a RAM user the permissions to view the monitoring metrics of a file system
The following sample code shows how to grant a RAM user the permissions to view the
monitoring metrics of a file system:
{
"Statement": [{
"Effect": "Allow",
"Action": "cms:Describe*",
"Resource": "*"
}],
"Version": "1"
}Example 5: Grant a RAM user the permissions to manage the recycle bin of a file system
- The following sample code shows how to grant a RAM user full access to the recycle
bin of the file system whose ID is
07d****294.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:EnableRecycleBin", "nas:DisableAndCleanRecycleBin ", "nas:UpdateRecycleBinAttribute", "nas:GetRecycleBinAttribute", "nas:CreateRecycleBinRestoreJob", "nas:CreateRecycleBinDeleteJob", "nas:CancelRecycleBinJob", "nas:ListRecycleBinJobs", "nas:ListRecycledDirectoriesAndFiles", "nas:ListRecentlyRecycledDirectories" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] } ], "Version": "1" } - The following sample code shows how to grant a RAM user the permissions to restore
files temporarily stored in the recycle bin of the file system whose ID is
07d****294.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:GetRecycleBinAttribute", "nas:CreateRecycleBinRestoreJob", "nas:CancelRecycleBinJob", "nas:ListRecycleBinJobs", "nas:ListRecycledDirectoriesAndFiles", "nas:ListRecentlyRecycledDirectories" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] } ], "Version": "1" } - The following sample code shows how to grant a RAM user the permissions to permanently
delete files from the recycle bin of the file system whose ID is
07d****294.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:GetRecycleBinAttribute", "nas:CreateRecycleBinDeleteJob", "nas:CancelRecycleBinJob", "nas:ListRecycleBinJobs", "nas:ListRecycledDirectoriesAndFiles", "nas:ListRecentlyRecycledDirectories" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] } ], "Version": "1" } - The following sample code shows how to grant a RAM user the permissions to modify
the configurations for the recycle bin of the file system whose ID is
07d****294.{ "Statement": [{ "Effect": "Allow", "Action": [ "nas:EnableRecycleBin", "nas:UpdateRecycleBinAttribute", "nas:DisableAndCleanRecycleBin", "nas:GetRecycleBinAttribute" ], "Resource": [ "acs:nas:*:*:filesystem/07d****294" ] } ], "Version": "1" }
Authentication list of custom policies
You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you set Configuration Mode to Script, you must set the parameters in the Policy Document section based on the JSON template.
For more information about the values of the Action and Resource parameters, see the
following authentication list. For more information, see Policy elements.
| API | Action | Resource | Description | |
|---|---|---|---|---|
| File System | CreateFileSystem | nas:CreateFileSystem | acs:nas:<region>:<account-id>:filesystem/* | Creates a file system. |
| DeleteFileSystem | nas:DeleteFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a file system. | |
| ModifyFileSystem | nas:ModifyFileSystem | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a file system. | |
| DescribeFileSystems | nas:DescribeFileSystems | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries file systems. | |
| Mount target | CreateMountTarget | nas:CreateMountTarget |
|
Creates a mount target. |
| DeleteMountTarget | nas:DeleteMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Deletes a mount target. | |
| ModifyMountTarget | nas:ModifyMountTarget | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Modifies a mount target. | |
| DescribeMountTargets | nas:DescribeMountTargets | acs:nas:<region>:<account-id>:filesystem/<filesystemid> | Queries the mount targets of a file system. | |
| Permission group | CreateAccessGroup | nas:CreateAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a permission group. |
| DeleteAccessGroup | nas:DeleteAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a permission group. | |
| ModifyAccessGroup | nas:ModifyAccessGroup | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a permission group. | |
| DescribeAccessGroups | nas:DescribeAccessGroups | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the permission groups of a file system. | |
| CreateAccessRule | nas:CreateAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Creates a rule for a permission group. | |
| DeleteAccessRule | nas:DeleteAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Deletes a rule from a permission group. | |
| ModifyAccessRule | nas:ModifyAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Modifies a rule of a permission group. | |
| DescribeAccessRule | nas:DescribeAccessRule | acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> | Queries the rules of a permission group. | |
| Snapshots for Extreme NAS file systems | ApplyAutoSnapshotPolicy | nas:ApplyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Applies an automatic snapshot policy to one or more file systems. |
| CancelAutoSnapshotPolicy | nas:CancelAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Removes automatic snapshot policies from one or more file systems. | |
| CreateAutoSnapshotPolicy | nas:CreateAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Creates an automatic snapshot policy. | |
| DeleteAutoSnapshotPolicy | nas:DeleteAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes an automatic snapshot policy. | |
| ModifyAutoSnapshotPolicy | nas:ModifyAutoSnapshotPolicy | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Modifies an automatic snapshot policy. | |
| DescribeAutoSnapshotPolicies | nas:DescribeAutoSnapshotPolicies | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot policies. | |
| CreateSnapshot | nas:CreateSnapshot | acs:nas:<region>:<account-id>:snapshot/* | Creates a snapshot. | |
| DeleteSnapshot | nas:DeleteSnapshot | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Deletes a specified snapshot. | |
| DescribeAutoSnapshotTasks | nas:DescribeAutoSnapshotTasks | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries the details of automatic snapshot tasks. | |
| DescribeSnapshots | nas:DescribeSnapshots | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Queries all the snapshots of a file system. | |
| ResetFileSystem | nas:ResetFileSystem | acs:nas:<region>:<account-id>:snapshot/<snapshotid> | Rolls back a file system from a snapshot. | |
| Lifecycle management | CreateLifecyclePolicy | nas:CreateLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Creates a lifecycle management policy. |
| ModifyLifecyclePolicy | nas:ModifyLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Modifies a lifecycle management policy. | |
| DeleteLifecyclePolicy | nas:DeleteLifecyclePolicy | acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> | Deletes a lifecycle management policy. | |
| DescribeLifecyclePolicies | nas:DescribeLifecyclePolicies | acs:nas:<region>:<account-id>:lifecyclepolicy/* | Queries the lifecycle management policies. | |