This topic describes how to use Resource Access Management (RAM) policies to control access from RAM users to Alibaba Cloud resources. You can create and manage multiple RAM users of an Alibaba Cloud account. To grant different permissions to the RAM users, you can attach different policies to the RAM users. This allows the RAM users to access different Alibaba Cloud resources. You can use the AccessKey pair of a RAM user to prevent the leakage of the AccessKey pair of the Alibaba Cloud account. You can also grant the least permissions to each RAM user to reduce security risks.

Prerequisites

A RAM user or group is created. For more information, see Create a RAM user and Create a RAM user group.

Background information

Permission policies consist of system policies and custom policies.
  • System policies: the default permission policies that are provided by Alibaba Cloud. The following system policies are commonly used in Apsara File Storage NAS. You can attach the policies to the RAM users based on your business requirements.
    • AliyunNASFullAccess: authorizes a RAM user to manage NAS file systems
    • AliyunNASReadOnlyAccess: authorizes a RAM user to view NAS file systems
  • Custom policies: the permission policies that are customized. The custom policies allow you to perform more fine-grained and flexible access control. For more information about how to create custom policies, see Create a custom policy.

Attach a custom policy to a RAM user

By default, a RAM user or group has no permissions. You must grant permissions to the RAM user or group before the RAM user or group can be used to perform operations in the console or call API operations.

  1. Create a custom policy based on the scenarios in the following sections. For more information about how to create a custom policy, see Create a custom policy.
  2. In the left-side navigation pane, choose Identities > Users.
  3. Find the RAM user in the User Logon Name/Display Name column and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, the Principal field is automatically filled.
  5. In the Select Policy section, click the policy name that you want to attach to the RAM user in the Authorization Policy Name column.
    Note In the Selected section, you can click the cross sign (×) next to the policy name to remove the policy.
  6. Click OK.
  7. Click Complete.
Note For more information about how to grant permissions to a RAM user or group, see Grant permissions to a RAM user and Grant permissions to a RAM user group.

Example 1: Grant the permissions on a file system to the RAM user

  • The following sample code shows how to authorize the RAM user to modify a file system:
    {
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "nas:DescribeFileSystems",
                "nas:ModifyFileSystem"
            ],
            "Resource": "acs:nas:*:*:filesystem/07d0b4****"
        }],
        "Version": "1"
    }
  • The following sample code shows how to authorize the RAM user to view all the file systems:
    {
        "Statement": [{
            "Effect": "Allow",
            "Action": "nas:DescribeFileSystems",
            "Resource": "*"
        }],
        "Version": "1"
    }
  • The following sample code shows how to grant the RAM user full access to a file system:
    {
        "Statement": [{
                "Effect": "Allow",
                "Action": [
                    "nas:*"
                ],
                "Resource": [
                    "acs:nas:*:*:filesystem/07d0b4****"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "nas:CreateMountTarget",
                "Resource": [
                    "acs:vpc:*:*:vswitch/*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "cms:Describe*",
                "Resource": "*"
            }
        ],
        "Version": "1"
    }

Example 2: Grant the permissions on the mount targets of a file system to the RAM user

The following sample code shows how to grant the RAM user full access to the mount targets of a file system:
{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateMountTarget",
            "nas:DescribeMountTargets",
            "nas:ModifyMountTarget",
            "nas:DeleteMountTarget"
        ],
        "Resource": [
            "acs:nas:*:*:filesystem/07d0b4****",
            "acs:vpc:*:*:vswitch/*"
        ]
    }],
    "Version": "1"
}

Example 3: Grant the permissions on the permission groups of a file system to the RAM user

The following sample code shows how to grant the RAM user full access to the permission groups of a file system:
{
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "nas:CreateAccessGroup",
            "nas:DescribeAccessGroups",
            "nas:ModifyAccessGroup",
            "nas:DeleteAccessGroup",
            "nas:CreateAccessRule",
            "nas:DescribeAccessRules",
            "nas:ModifyAccessRule",
            "nas:DeleteAccessRule"
        ],
        "Resource": "acs:nas:*:*:accessgroup/*"
    }],
    "Version": "1"
}

Example 4: Grant the permissions to view the metrics of a file system to the RAM user

The following sample code shows how to authorize the RAM user to view the metrics of a file system:
{
    "Statement": [{
        "Effect": "Allow",
        "Action": "cms:Describe*",
        "Resource": "*"
    }],
    "Version": "1"
}

Authentication list

You can use the RAM console or call the CreatePolicy API operation to create a custom policy. If you select Script for Configuration Mode, you must set the parameters in the PolicyDocument section based on the JSON template. The following table lists the values of the Action and Resource parameters in different API operations. The format of the Resource parameter is the same as that of an Alibaba Cloud Resource Name (ARN). For more information, see Policy elements.
API Action Resource Description
File system CreateFileSystem nas:CreateFileSystem acs:nas:<region>:<account-id>:filesystem/* Creates a file system.
DeleteFileSystem nas:DeleteFileSystem acs:nas:<region>:<account-id>:filesystem/<filesystemid> Deletes a file system.
ModifyFileSystem nas:ModifyFileSystem acs:nas:<region>:<account-id>:filesystem/<filesystemid> Modifies a file system.
DescribeFileSystems nas:DescribeFileSystems acs:nas:<region>:<account-id>:filesystem/<filesystemid> Queries file systems.
Mount target CreateMountTarget nas:CreateMountTarget
  • acs:nas:<region>:<account-id>:filesystem/<filesystemid>
  • acs:vpc:*:*:vswitch/*
Creates a mount target.
DeleteMountTarget nas:DeleteMountTarget acs:nas:<region>:<account-id>:filesystem/<filesystemid> Deletes a mount target
ModifyMountTarget nas:ModifyMountTarget acs:nas:<region>:<account-id>:filesystem/<filesystemid> Modifies a mount target.
DescribeMountTargets nas:DescribeMountTargets acs:nas:<region>:<account-id>:filesystem/<filesystemid> Queries the mount targets of a file system.
Permission group CreateAccessGroup nas:CreateAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Creates a permission group.
DeleteAccessGroup nas:DeleteAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Deletes a permission group.
ModifyAccessGroup nas:ModifyAccessGroup acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Modifies a permission group.
DescribeAccessGroups nas:DescribeAccessGroups acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Queries the permission groups of a file system.
CreateAccessRule nas:CreateAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Creates a rule.
DeleteAccessRule nas:DeleteAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Deletes a rule.
ModifyAccessRule nas:ModifyAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Modifies a rule.
DescribeAccessRule nas:DescribeAccessRule acs:nas:<region>:<account-id>:accessgroup/<accessgroupname> Queries the rules of a permission group.
Snapshots for Extreme NAS file systems ApplyAutoSnapshotPolicy nas:ApplyAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Applies an automatic snapshot policy to one or more file systems.
CancelAutoSnapshotPolicy nas:CancelAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Removes automatic snapshot policies from file systems.
CreateAutoSnapshotPolicy nas:CreateAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Creates an automatic snapshot policy.
DeleteAutoSnapshotPolicy nas:DeleteAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Deletes an automatic snapshot policy.
ModifyAutoSnapshotPolicy nas:ModifyAutoSnapshotPolicy acs:nas:<region>:<account-id>:snapshot/<snapshotid> Modifies an automatic snapshot policy.
DescribeAutoSnapshotPolicies nas:DescribeAutoSnapshotPolicies acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries the details of automatic snapshot policies.
CreateSnapshot nas:CreateSnapshot acs:nas:<region>:<account-id>:snapshot/* Creates a snapshot.
DeleteSnapshot nas:DeleteSnapshot acs:nas:<region>:<account-id>:snapshot/<snapshotid> Deletes a snapshot.
DescribeAutoSnapshotTasks nas:DescribeAutoSnapshotTasks acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries the details of automatic snapshot tasks.
DescribeSnapshots nas:DescribeSnapshots acs:nas:<region>:<account-id>:snapshot/<snapshotid> Queries all snapshots of a file system.
ResetFileSystem nas:ResetFileSystem acs:nas:<region>:<account-id>:snapshot/<snapshotid> Restores a file system from a snapshot.
Lifecycle management CreateLifecyclePolicy nas:CreateLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Creates a lifecycle management policy.
ModifyLifecyclePolicy nas:ModifyLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Modifies a lifecycle management policy.
DeleteLifecyclePolicy nas:DeleteLifecyclePolicy acs:nas:<region>:<account-id>:lifecyclepolicy/<lifecyclerulename> Deletes a lifecycle management policy.
DescribeLifecyclePolicies nas:DescribeLifecyclePolicies acs:nas:<region>:<account-id>:lifecyclepolicy/* Queries the lifecycle management policies.