All Products
Search
Document Center

Elastic Compute Service:RAM user uses Cloud Assistant

Last Updated:Feb 27, 2024

Resource Access Management (RAM) users are virtual accounts to which RAM policies can be attached to grant different levels of permissions. This ensures more secure and controllable access and reduces the risk of disclosing the AccessKey pair of your Alibaba Cloud account. This topic describes how to grant RAM users permissions and provides some sample policies on Cloud Assistant.

Background information

RAM policies can be custom policies created by yourself or system policies provided by Alibaba Cloud. You can use an Alibaba Cloud account to create custom policies to define region-specific permissions and permissions on Elastic Compute Service (ECS) instances, Cloud Assistant commands, or managed-instance activation codes, and attach the policies to RAM users.

Procedure

  1. Use an Alibaba Cloud account to create a RAM user.

    For more information, see Create a RAM user.

  2. Use the Alibaba Cloud account to create a custom policy. For more information, see Create custom policies.

    The following table describes sample Cloud Assistant-related custom policies.

    Policy type

    Sample custom policy

    Policies that include the permissions on Cloud Assistant

    Policies that include permissions on Cloud Assistant Agent

    Policies that include permissions on Cloud Assistant commands

    Policies that include permissions on file transfer

    Policies that include permissions on Operation Content and Result Delivery

    Policies that include permissions on managed instances

  3. Use your Alibaba Cloud account to attach policies to the created RAM user.

    For more information, see Grant permissions to a RAM user.

    • Attach a created custom policy.基于RAM实现权限控制-授权账号

    • Attach the following system policies provided by Alibaba Cloud:

      • AliyunECSAssistantFullAccess: grants RAM users the permissions to manage Cloud Assistant.

      • AliyunECSAssistantReadonlyAccess: grants RAM users read-only permissions on Cloud Assistant.

      You can log on to the RAM console to view the system policies and their details. For more information, see View the basic information about a policy.

  4. Check whether the RAM user is authorized to log on to the Alibaba Cloud Management Console.

    If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user.基于RAM实现权限控制-开启控制台登录

  5. Log on to the Alibaba Cloud Management Console as the RAM user.

  6. Log on to the ECS console as the RAM user, go to the Cloud Assistant page, and use Cloud Assistant.

Cloud Assistant-specific sample custom policies

Administrator (read and write) permissions on Cloud Assistant

After you attach the following sample policy to RAM users, the RAM users have all the query and management permissions on Cloud Assistant API operations.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations",
                "ecs:ListPluginStatus",
                "ecs:ModifyInvocationAttribute"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*",
                "acs:ecs:*:*:invocation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings",
                "acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
            ]
        }
    ]
}

Read-only permissions on Cloud Assistant

After you attach the following sample policy to RAM users, the RAM users have all the query permissions on Cloud Assistant API operations.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:DescribeCloudAssistant*",
                "ecs:DescribeSendFileResults",
                "ecs:DescribeManagedInstances",
                "ecs:DescribeActivations",
                "ecs:ListPluginStatus"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*",
                "acs:ecs:*:*:activation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings",
                "acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
            ]
        }
    ]
}

Region-specific permissions on Cloud Assistant

You can specify region fields in the Resource list to limit the permissions of RAM users on a specific region. After you attach the following sample policy to RAM users, the RAM users have permissions to use Cloud Assistant within the China (Hangzhou) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTag*",
                "ecs:*Command",
                "ecs:DescribeCommand*",
                "ecs:DescribeInvocation*",
                "ecs:StopInvocation",
                "ecs:*CloudAssistant*",
                "ecs:SendFile",
                "ecs:DescribeSendFileResults",
                "ecs:*ManagedInstance",
                "ecs:DescribeManagedInstances",
                "ecs:*Activation",
                "ecs:DescribeActivations",
                "ecs:ListPluginStatus",
                "ecs:ModifyInvocationAttribute"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:instance/*",
                "acs:ecs:cn-hangzhou:*:command/*",
                "acs:ecs:cn-hangzhou:*:activation/*",
                "acs:ecs:cn-hangzhou:*:invocation/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "archiving.ecs.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings",
                "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings"
            ]
        }
    ]
}

Cloud Assistant Agent-specific sample custom policies

Permissions to query the installation status of Cloud Assistant Agent

API operation: DescribeCloudAssistantStatus

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query the installation status of Cloud Assistant Agent on all ECS instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the installation status of Cloud Assistant Agent on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx000a",
                    "acs:ecs:*:*:instance/i-instancexxx000b"
                ]
            }
        ]
    }

Permissions to install Cloud Assistant Agent

API operation: InstallCloudAssistant

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to install Cloud Assistant Agent on any ECS instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InstallCloudAssistant"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to install Cloud Assistant Agent on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InstallCloudAssistant"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Cloud Assistant command-specific sample custom policies

Permissions to view Cloud Assistant commands

API operation: DescribeCommands

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query all Cloud Assistant commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to query the specified commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to delete Cloud Assistant commands

API operation: DeleteCommand

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to delete all Cloud Assistant commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to delete the specified commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to create Cloud Assistant commands

API operation: CreateCommand

After you attach the following sample policy to RAM users, the RAM users have the permissions to create Cloud Assistant commands.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to modify Cloud Assistant commands

API operation: ModifyCommand

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to modify all Cloud Assistant commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ModifyCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to modify the specified commands.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ModifyCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to run Cloud Assistant commands

API operation: InvokeCommand

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to run commands on any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to run commands on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to run specific commands on instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resource list to limit the permissions on specific instances and specific commands. The following sample policy allows the RAM users to run the specific commands on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to create and run Cloud Assistant commands simultaneously

API operation: RunCommand

Note

If you set the KeepCommand parameter to true when you call the RunCommand operation, you must add the "acs::ecs:*:*:command/*" line to the Resource list.

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to create and run commands simultaneously on any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to immediately run commands only on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query command execution results

API operation: DescribeInvocations

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query command execution results on any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the execution results of commands on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to query the execution results of only the specified commands on instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resource list to limit the permissions on specific instances and specific commands. The following sample policy allows the RAM users to query the execution results of the specified commands on the specified instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to modify the execution information of scheduled tasks

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to modify the execution information of any scheduled task and add instances to a scheduled task.

    If you modify the value of the CommandContent parameter and set the KeepCommand parameter to true when you call the InvokeCommand or RunCommand operation, a command is added and retained. In this case, you must add acs:ecs:*:*:command/* to the Resource list before you call the ModifyInvocationAttribute operation.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ecs:ModifyInvocationAttribute",
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ecs:*:*:invocation/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • You can specify task IDs in the Resource list to limit the permissions on specific tasks. The following sample policy allows the RAM users to modify the execution information only of the specified tasks and add instances to the specified tasks.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ecs:ModifyInvocationAttribute",
          "Resource": [
            "acs:ecs:*:*:instance/*",
            "acs:ecs:*:*:invocation/task-xxx"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to modify the execution information of scheduled tasks and add only the specified instances to the scheduled tasks.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ecs:ModifyInvocationAttribute",
          "Resource": [
            "acs:ecs:*:*:instance/i-instance-xxx",
            "acs:ecs:*:*:invocation/*"
          ],
          "Effect": "Allow"
        }
      ]
    }
  • You can specify instance IDs and task IDs in the Resource list to limit the permissions on specific instances and tasks. The following sample policy allows the RAM users to modify the execution information only of the specified tasks and add only the specified instances to the scheduled tasks.

    {
      "Version": "1",
      "Statement": [
        {
          "Action": "ecs:ModifyInvocationAttribute",
          "Resource": [
            "acs:ecs:*:*:instance/i-instance-xxx",
            "acs:ecs:*:*:invocation/task-xxx"
          ],
          "Effect": "Allow"
        }
      ]
    }

Permissions to stop running commands

API operation: StopInvocation

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to stop running commands on any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StopInvocation"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to stop running commands on the specific instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:StopInvocation"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

File uploading-specific sample custom policies

Permissions to upload on-premises files

API operation: SendFile

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to upload on-premises files to any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:SendFile"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to upload on-premises files to the specific instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:SendFile"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query the results of file upload operations

API operation: DescribeSendFileResults

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query the results of file upload operations to any instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeSendFileResults"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to query the results of file upload operations to the specific instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeSendFileResults"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Operation Content and Result Delivery-specific sample custom policies

Permissions to query and modify the Operation Content and Result Delivery settings

After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Permissions to query the Operation Content and Result Delivery settings

After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
            ]
        }
    ]
}

Region-specific permissions on Operation Content and Result Delivery

You can specify region IDs in the Resource list to limit the regional permissions of RAM users.

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings within the China (Hangzhou) region.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings",
                    "ecs:UpdateServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
                ]
            }
        ]
    }
  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings within the China (Hangzhou) region.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings"
                ]
            }
        ]
    }

Permissions to query and modify the Session Record Delivery settings

After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Session Record Delivery settings.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings",
                "ecs:UpdateServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
            ]
        }
    ]
}

Permissions to query the Session Record Delivery settings

After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:ListServiceSettings"
            ],
            "Resource": [
                "acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
            ]
        }
    ]
}

Region-specific permissions on Session Record Delivery

You can specify region IDs in the Resource list to limit the regional permissions of RAM users.

  • The following sample policy allows RAM users to query and modify the Session Record Delivery settings within the China (Hangzhou) region.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings",
                    "ecs:UpdateServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings"
                ]
            }
        ]
    }
  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings within the China (Hangzhou) region.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:ListServiceSettings"
                ],
                "Resource": [
                    "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings"
                ]
            }
        ]
    }

Permissions to query OSS buckets

When you deliver O&M task execution records or session records to Object Storage Service (OSS) as a RAM user, you must grant the RAM user the permissions to query OSS buckets.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListBuckets"
            ],
            "Resource": "*"
        }
    ]
}

After you deliver O&M task execution records or session records to OSS, you must learn about RAM policies on OSS for query and analysis purposes. For more information, see Overview and Common examples of RAM policies.

Permissions to query Log Service projects and Logstores

When you deliver O&M task execution records or session records to Log Service as a RAM user, you must grant the RAM user the permissions to query Log Service projects and Logstores.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "log:ListProject",
                "log:ListLogStores"
            ],
            "Resource": "*"
        }
    ]
}

After you deliver O&M task execution records or session records to Log Service, you must learn about RAM policies on Log Service for query and analysis purposes. For more information, see Overview.

Managed instance-specific sample custom policies

Permissions to deregister managed instances

API operation: DeregisterManagedInstance

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to deregister managed instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeregisterManagedInstance"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to deregister the specified managed instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeregisterManagedInstance"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query managed instances

API operation: DescribeManagedInstances

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query managed instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeManagedInstances"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the information about the specified managed instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeManagedInstances"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                      "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to create activation codes

API operation: CreateActivation

After you attach the following sample policy to RAM users, the RAM users have the permissions to create activation codes and use them to register servers that are not provided by Alibaba Cloud as Alibaba Cloud managed instances.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateActivation"
            ],
            "Resource": [
                "acs:ecs:*:*:activation/*"
            ]
        }
    ]
}

Permissions to disable activation codes

API operation: DisableActivation

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to disable any activation code that is used to register an Alibaba Cloud managed instance.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DisableActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to disable the activation codes of the specified managed instances.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DisableActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }

Permissions to query activation codes

API operation: DescribeActivations

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to query the created activation codes and their usage.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeActivations"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to query activation codes of the specified managed instances and the usage of the activation codes.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeActivations"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }

Permissions to delete activation codes

API operation: DeleteActivation

  • After you attach the following sample policy to RAM users, the RAM users have the permissions to delete the activation codes that are not used.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list to limit the permissions to specific activation codes. The following sample policy allows the RAM users to delete the activation codes that are not used.

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteActivation"
                ],
                "Resource": [
                    "acs:ecs:*:*:activation/*****-*****A",
                      "acs:ecs:*:*:activation/*****-*****B"
                ]
            }
        ]
    }