This topic uses an example policy to demonstrate how to authorize a RAM user to manage a specified ECS instance.
The following policy indicates that the authorized RAM user can view all ECS instances
under an Alibaba Cloud account, but the user can manage only the i-001
ECS instance.
{
"Statement": [
{
"Action": "ecs:*",
"Effect": "Allow",
"Resource": "acs:ecs:*:*:instance/i-001"
},
{
"Action": "ecs:Describe*",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}
Note The
Describe*
element is required in the policy. Otherwise, the authorized RAM user cannot view
instances in the console. However, the RAM user can manage the specified ECS instance
through API operations, CLI, or ECS SDK.