RAM users are virtual accounts whose permission levels are determined by RAM policies. This allows you to implement more secure and controllable access policies and reduces the risk of disclosing the AccessKey pair of your Alibaba Cloud account. You can use an Alibaba Cloud account to create custom policies to define permissions on API operations, ECS instances, or Cloud Assistant commands, and attach the policies to RAM users.

Background information

This topic describes how to grant the following permissions to RAM users:
  • The permission to call Cloud Assistant API operations
  • The permission to run specified Cloud Assistant commands
  • The permission to call Cloud Assistant API operations in specified regions
  • The permission to call Cloud Assistant API operations on specified ECS instances

Procedure

  1. Use your Alibaba Cloud account to create a RAM user.
    For more information, see Create a RAM user.
  2. Use your Alibaba Cloud account to create a custom policy.
    For more information, see Create a custom policy. For more information about example custom policies on Cloud Assistant, see subsequent sections in this topic.Use RAM to implement permission control 1
  3. Use your Alibaba Cloud account to attach the policy to the created RAM user.
    For more information, see Grant permissions to a RAM user.
    • Attach the created custom policyUse RAM to implement permission control - attach policies to RAM users
    • Attach the system policies provided by Alibaba Cloud
  4. Check whether the RAM user is authorized to log on to the Alibaba Cloud Management console.
    If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user.Use RAM to implement permission control - authorize RAM users to log on to the Alibaba Cloud Management console
  5. Log on to the Alibaba Cloud Management console as the RAM user.
    For more information, see Log on to the console as a RAM user.Use RAM to implement permissions control - RAM user logons
  6. Log on to the ECS console as the RAM user, go to the Cloud Assistant page, and use Cloud Assistant.

Administrator (read and write) permissions on Cloud Assistant

After a RAM user is granted with the following permission, it has all the query and management permissions on Cloud Assistant APIs.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:CreateCommand",
                "ecs:DescribeCommands",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StopInvocation",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Read-only permissions on Cloud Assistant

After a RAM user is granted with the following permission, it can query Cloud Assistant commands, task records, task details, and ECS instance status. However, it cannot create, run, or modify commands.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:DescribeCommands",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeCloudAssistantStatus"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to query the installation status of the Cloud Assistant client

API operation: DescribeCloudAssistantStatus

  • After a RAM user is granted with the following permission, it can query the installation status of the Cloud Assistant client on all ECS instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resources list. After a RAM user is granted with the following permission, it can query the installation status of the Cloud Assistant client only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx000a",
                    "acs:ecs:*:*:instance/i-instancexxx000b"
                ]
            }
        ]
    }

Permissions to view Cloud Assistant commands

API operation: DescribeCommands

  • After a RAM user is granted with the following permission, it can view all the Cloud Assistant commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resources list. After a RAM user is granted with the following permission, it can view only the specified commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to delete Cloud Assistant commands

API operation: DeleteCommand

  • After a RAM user is granted with the following permission, it can delete all Cloud Assistant commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resources list. After a RAM user is granted with the following permission, it can delete only the specified commands.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b"
                ]
            }
        ]
    }

Permissions to create Cloud Assistant scripts

API operation: CreateCommand

After a RAM user is at least granted with the following permission, it can create Cloud Assistant commands.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to run commands

API operation: InvokeCommand

  • After a RAM user is granted with the following permission, it can run commands on all instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resources list. After the RAM user is granted with the following permission, it can run commands only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resources list. After a RAM user is granted with the following permission, it can run only the specified commands on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b",
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resources list. After a RAM user is granted with the following permission, it can run only specific commands on specific instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to create and run commands simultaneously

API operation: RunCommand

Note If you set the KeepCommand parameter to true when you call the RunCommand operation, you must add the "acs::ecs:*:*:command/*" line to the Resources list.
  • After a RAM user is granted with the following permissions, it can create and run commands simultaneously on any instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resources list. After a RAM user is granted with the following permission, it can create and run commands simultaneously only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to query execution results

API operation: DescribeInvocations

  • After a RAM user is granted with the following permission, it can query command execution results on all instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resources list. After a RAM user is granted with the following permission, it can query command execution results only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify command IDs in the Resources list. After a RAM user is granted with the following permission, it can query the execution results only of the specified commands on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }
  • You can specify both command IDs and instance IDs in the Resources list. After a RAM user is granted with the following permission, it can query execution results only of specific commands on specific instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to stop running commands

API operation: StopInvocation

  • After a RAM user is granted with the following permission, it can stop running commands on any instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resources list. After a RAM user is granted with the following permission, it can stop running commands only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to configure regional limits

You can specify region fields in the Resource list to restrict regional permissions of RAM users. For example, you can specify that a RAM user can use Cloud Assistant only within the China (Hangzhou) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:CreateCommand",
                "ecs:DescribeCommands",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StopInvocation",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:command/*",
                "acs:ecs:cn-hangzhou:*:instance/*"
            ]
        }
    ]
}