Resource Access Management (RAM) users are virtual accounts to which RAM policies can be attached to grant different levels of permissions. This ensures more secure and controllable access and reduces the risk of disclosing the AccessKey pair of your Alibaba Cloud account. This topic describes how to grant permissions to a RAM user and provides some sample policies on Cloud Assistant.

Background information

RAM policies can be custom policies created by yourself and system policies provided by Alibaba Cloud. You can use an Alibaba Cloud account to create custom policies to define region-specific permissions and permissions on Elastic Compute Service (ECS) instances, Cloud Assistant commands, or managed-instance activation codes, and attach the policies to RAM users.

Procedure

  1. Use your Alibaba Cloud account to create a RAM user.
    For more information, see Create a RAM user.
  2. Use your Alibaba Cloud account to create a custom policy.
    For more information, see Create a custom policy. Use RAM to implement permission control 1
    Examples of custom policies on Cloud Assistant:
  3. Use your Alibaba Cloud account to attach policies to the created RAM user.
    For more information, see Grant permissions to a RAM user.
    • Attach a created custom policy.Use RAM to implement permission control - attach policies to RAM users
    • Attach the following system policies provided by Alibaba Cloud:
      • AliyunECSAssistantFullAccess: grants RAM users the permissions to manage Cloud Assistant.
      • AliyunECSAssistantReadonlyAccess: grants RAM users read-only permissions on Cloud Assistant.

      You can log on to the RAM console to view the system policies and their details. For more information, see View the basic information about a policy.

  4. Check whether the RAM user is authorized to log on to the Alibaba Cloud Management Console.
    If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user. Use RAM to implement permission control - authorize RAM users to log on to the Alibaba Cloud Management Console
  5. Log on to the Alibaba Cloud Management Console as the RAM user.
    For more information, see Log on to the console as a RAM user. Use RAM to implement permissions control - RAM user logons
  6. Log on to the ECS console as the RAM user, go to the Cloud Assistant page, and use Cloud Assistant.

Administrator (read and write) permissions on Cloud Assistant

The following sample policy grants RAM users all the query and management permissions on Cloud Assistant API operations.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Read-only permissions on Cloud Assistant

The following sample policy grants RAM users all the query permissions on Cloud Assistant API operations.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:DescribeCloudAssistant*",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeManagedInstances",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Region-specific permissions on Cloud Assistant

You can specify region fields in the Resource list to limit the permissions of RAM users to a specific region. The following sample policy grants RAM users permissions to use Cloud Assistant within the China (Hangzhou) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:instance/*",
                "acs:ecs:cn-hangzhou:*:command/*",
                "acs:ecs:cn-hangzhou:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Permissions to query the installation status of the Cloud Assistant client

API operation: DescribeCloudAssistantStatus

  • The following sample policy grants RAM users the permissions to query the installation status of the Cloud Assistant client on all ECS instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to query the installation status of the Cloud Assistant client on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx000a",
                    "acs:ecs:*:*:instance/i-instancexxx000b"
                ]
            }
        ]
    }

Permissions to install the Cloud Assistant client

API operation: InstallCloudAssistant

  • The following sample policy grants RAM users the permissions to install the Cloud Assistant client on any ECS instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InstallCloudAssistant"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to install the Cloud Assistant client on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InstallCloudAssistant"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query Cloud Assistant commands

API operation: DescribeCommands

  • The following sample policy grants RAM users the permissions to query all Cloud Assistant commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions to specific commands. The following sample policy grants RAM users the permissions to query the specified commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to delete Cloud Assistant commands

API operation: DeleteCommand

  • The following sample policy grants RAM users the permissions to delete all Cloud Assistant commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions to specific commands. The following sample policy grants RAM users the permissions to delete the specified commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to create Cloud Assistant commands

API operation: CreateCommand

The following sample policy grants RAM users the permissions to create Cloud Assistant commands.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to modify Cloud Assistant commands

API operation: ModifyCommand

  • The following sample policy grants RAM users the permissions to modify all Cloud Assistant commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ModifyCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions to specific commands. The following sample policy grants RAM users the permissions to modify the specified commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ModifyCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to run Cloud Assistant commands

API operation: InvokeCommand

  • The following sample policy grants RAM users the permissions to run commands on any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to run commands on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions to specific commands. The following sample policy grants RAM users the permissions to run the specified commands on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resource list to limit the permissions to specific commands and instances. The following sample policy grants RAM users the permissions to run the specified commands on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to create and run Cloud Assistant commands simultaneously

API operation: RunCommand

Note If you set the KeepCommand parameter to true when you call the RunCommand operation, you must add the "acs::ecs:*:*:command/*" line to the Resource list.
  • The following sample policy grants RAM users the permissions to create and run commands simultaneously on any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to create and run commands simultaneously on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query command execution results

API operation: DescribeInvocations

  • The following sample policy grants RAM users the permissions to query command execution results on any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to query command execution results on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions to specific commands. The following sample policy grants RAM users the permissions to query the execution results of the specified commands on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resource list to limit the permissions to specific commands and instances. The following sample policy grants RAM users the permissions to query the execution results of only specified commands on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to stop running commands

API operation: StopInvocation

  • The following sample policy grants RAM users the permissions to stop running commands on any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StopInvocation"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to stop running commands on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StopInvocation"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to upload local files

API operation: SendFile

  • The following sample policy grants RAM users the permissions to upload local files to any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:SendFile"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to upload local files to the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:SendFile"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query the results of file upload operations

API operation: DescribeSendFileResults

  • The following sample policy grants RAM users the permissions to query the results of file upload operations to any instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeSendFileResults"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to query the results of file upload operations to the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeSendFileResults"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query and modify the Operation Content and Result Delivery settings

The following sample policy grants RAM users the permissions to query and modify the Operation Content and Result Delivery settings.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Permissions to query the Operation Content and Result Delivery settings

The following sample policy grants RAM users the permissions to query the Operation Content and Result Delivery settings
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Region-specific permissions on Operation Content and Result Delivery

You can specify region fields in the Resource list to limit the permissions of RAM users to a specific region.
  • The following sample policy grants RAM users the permissions to query and modify the Operation Content and Result Delivery settings within the China (Hangzhou) region.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings",
                    "ecs:UpdateServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
                ]
            }
        ]
    }
  • The following sample policy grants RAM users the permissions to query the Operation Content and Result Delivery settings within the China (Hangzhou) region.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
                ]
            }
        ]
    }

Permissions to query Object Storage Service (OSS) buckets

When you deliver O&M task execution records to OSS as a RAM user, you must grant the RAM user the permissions to query OSS buckets.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListBuckets"
            ],
            "Resource": "*"
        }
    ]
}

You must also learn about RAM policies on OSS so that you can query and analyze the execution records delivered to OSS. For more information, see OSS RAM policy overview and Common examples of OSS RAM policies.

Permissions to query Log Service projects and Logstores

When you deliver O&M task execution records to Log Service as a RAM user, you must grant the RAM user the permissions to query Log Service projects and Logstores.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:ListProject",
                "log:ListLogStores"
            ],
            "Resource": "*"
        }
    ]
}

You must also learn about RAM policies on Log Service so that you can query and analyze the execution records delivered to Log Service. For more information, see RAM authentication rule overview.

Permissions to deregister managed instances

API operation: DeregisterManagedInstance
  • The following sample policy grants RAM users the permissions to deregister managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeregisterManagedInstance"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to deregister the specified managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeregisterManagedInstance"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query managed instances

API operation: DescribeManagedInstances

  • The following sample policy grants RAM users the permissions to query managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeManagedInstances"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific managed instances. The following sample policy grants RAM users the permissions to query the specified managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeManagedInstances"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to create activation codes

API operation: CreateActivation

The following sample policy grants RAM users the permissions to create activation codes and use them to register servers that are not provided by Alibaba Cloud as Alibaba Cloud managed instances.
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateActivation"
            ],
            "Resource": [
                "acs:ecs:*:*:activation/*"
            ]
        }
    ]
}

Permissions to disable activation codes

API operation: DisableActivation

  • The following sample policy grants RAM users the permissions to disable any activation code that is used to register an Alibaba Cloud managed instance.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DisableActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to disable the activation codes of the specified managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DisableActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }

Permissions to query activation codes

API operation: DescribeActivations

  • The following sample policy grants RAM users the permissions to query the created activation codes and their usage.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeActivations"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to query activation codes of the specified managed instances and their usage.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeActivations"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }

Permissions to delete activation codes

API operation: DeleteActivation

  • The following sample policy grants RAM users the permissions to delete the activation codes that are not used.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy grants RAM users the permissions to delete the activation codes that are not used of the specified managed instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }