Resource Access Management (RAM) users are virtual accounts to which RAM policies can be attached to grant different levels of permissions. This ensures more secure and controllable access and reduces the risk of disclosing the AccessKey pair of your Alibaba Cloud account. This topic describes how to grant RAM users permissions and provides some sample policies on Cloud Assistant.
Background information
RAM policies can be custom policies created by yourself or system policies provided by Alibaba Cloud. You can use an Alibaba Cloud account to create custom policies to define region-specific permissions and permissions on Elastic Compute Service (ECS) instances, Cloud Assistant commands, or managed-instance activation codes, and attach the policies to RAM users.
Procedure
Use an Alibaba Cloud account to create a RAM user.
For more information, see Create a RAM user.
Use the Alibaba Cloud account to create a custom policy. For more information, see Create custom policies.
The following table describes sample Cloud Assistant-related custom policies.
Policy type
Sample custom policy
Policies that include the permissions on Cloud Assistant
Policies that include permissions on Cloud Assistant Agent
Policies that include permissions on Cloud Assistant commands
Policies that include permissions on file transfer
Policies that include permissions on Operation Content and Result Delivery
Policies that include permissions on managed instances
Use your Alibaba Cloud account to attach policies to the created RAM user.
For more information, see Grant permissions to a RAM user.
Attach a created custom policy.
Attach the following system policies provided by Alibaba Cloud:
AliyunECSAssistantFullAccess: grants RAM users the permissions to manage Cloud Assistant.
AliyunECSAssistantReadonlyAccess: grants RAM users read-only permissions on Cloud Assistant.
You can log on to the RAM console to view the system policies and their details. For more information, see View the basic information about a policy.
Check whether the RAM user is authorized to log on to the Alibaba Cloud Management Console.
If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user.
Log on to the Alibaba Cloud Management Console as the RAM user.
For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
Log on to the ECS console as the RAM user, go to the Cloud Assistant page, and use Cloud Assistant.
Cloud Assistant-specific sample custom policies
Administrator (read and write) permissions on Cloud Assistant
After you attach the following sample policy to RAM users, the RAM users have all the query and management permissions on Cloud Assistant API operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*",
"acs:ecs:*:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings",
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}
Read-only permissions on Cloud Assistant
After you attach the following sample policy to RAM users, the RAM users have all the query permissions on Cloud Assistant API operations.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:DescribeCloudAssistant*",
"ecs:DescribeSendFileResults",
"ecs:DescribeManagedInstances",
"ecs:DescribeActivations",
"ecs:ListPluginStatus"
],
"Resource": [
"acs:ecs:*:*:instance/*",
"acs:ecs:*:*:command/*",
"acs:ecs:*:*:activation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings",
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}
Region-specific permissions on Cloud Assistant
You can specify region fields in the Resource list to limit the permissions of RAM users on a specific region. After you attach the following sample policy to RAM users, the RAM users have permissions to use Cloud Assistant within the China (Hangzhou) region.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeTag*",
"ecs:*Command",
"ecs:DescribeCommand*",
"ecs:DescribeInvocation*",
"ecs:StopInvocation",
"ecs:*CloudAssistant*",
"ecs:SendFile",
"ecs:DescribeSendFileResults",
"ecs:*ManagedInstance",
"ecs:DescribeManagedInstances",
"ecs:*Activation",
"ecs:DescribeActivations",
"ecs:ListPluginStatus",
"ecs:ModifyInvocationAttribute"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:instance/*",
"acs:ecs:cn-hangzhou:*:command/*",
"acs:ecs:cn-hangzhou:*:activation/*",
"acs:ecs:cn-hangzhou:*:invocation/*"
]
},
{
"Effect": "Allow",
"Action": [
"ram:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ram:ServiceName": [
"archiving.ecs.aliyuncs.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings",
"acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}
Cloud Assistant Agent-specific sample custom policies
Permissions to query the installation status of Cloud Assistant Agent
API operation: DescribeCloudAssistantStatus
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the installation status of Cloud Assistant Agent on all ECS instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the installation status of Cloud Assistant Agent on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeCloudAssistantStatus" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx000a", "acs:ecs:*:*:instance/i-instancexxx000b" ] } ] }
Permissions to install Cloud Assistant Agent
API operation: InstallCloudAssistant
After you attach the following sample policy to RAM users, the RAM users have the permissions to install Cloud Assistant Agent on any ECS instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to install Cloud Assistant Agent on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InstallCloudAssistant" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Cloud Assistant command-specific sample custom policies
Permissions to view Cloud Assistant commands
API operation: DescribeCommands
After you attach the following sample policy to RAM users, the RAM users have the permissions to query all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to query the specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeCommands" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to delete Cloud Assistant commands
API operation: DeleteCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to delete all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to delete the specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to create Cloud Assistant commands
API operation: CreateCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to create Cloud Assistant commands.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateCommand"
],
"Resource": [
"acs:ecs:*:*:command/*"
]
}
]
}
Permissions to modify Cloud Assistant commands
API operation: ModifyCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to modify all Cloud Assistant commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to modify the specified commands.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ModifyCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx000a", "acs:ecs:*:*:command/c-commandxxx000b" ] } ] }
Permissions to run Cloud Assistant commands
API operation: InvokeCommand
After you attach the following sample policy to RAM users, the RAM users have the permissions to run commands on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to run commands on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/*", "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to run specific commands on instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b", "acs:ecs:*:*:instance/*" ] } ] }
You can specify both command IDs and instance IDs in the Resource list to limit the permissions on specific instances and specific commands. The following sample policy allows the RAM users to run the specific commands on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:InvokeCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Permissions to create and run Cloud Assistant commands simultaneously
API operation: RunCommand
If you set the KeepCommand parameter to true
when you call the RunCommand operation, you must add the "acs::ecs:*:*:command/*"
line to the Resource list.
After you attach the following sample policy to RAM users, the RAM users have the permissions to create and run commands simultaneously on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to immediately run commands only on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: RunCommand" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query command execution results
API operation: DescribeInvocations
After you attach the following sample policy to RAM users, the RAM users have the permissions to query command execution results on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the execution results of commands on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific commands. The following sample policy allows the RAM users to query the execution results of only the specified commands on instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
You can specify both command IDs and instance IDs in the Resource list to limit the permissions on specific instances and specific commands. The following sample policy allows the RAM users to query the execution results of the specified commands on the specified instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs: DescribeInvocations" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b", "acs:ecs:*:*:command/c-commandxxx00a", "acs:ecs:*:*:command/c-commandxxx00b" ] } ] }
Permissions to modify the execution information of scheduled tasks
After you attach the following sample policy to RAM users, the RAM users have the permissions to modify the execution information of any scheduled task and add instances to a scheduled task.
If you modify the value of the
CommandContent
parameter and set theKeepCommand
parameter totrue
when you call the InvokeCommand or RunCommand operation, a command is added and retained. In this case, you must addacs:ecs:*:*:command/*
to the Resource list before you call the ModifyInvocationAttribute operation.{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }
You can specify task IDs in the Resource list to limit the permissions on specific tasks. The following sample policy allows the RAM users to modify the execution information only of the specified tasks and add instances to the specified tasks.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/*", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to modify the execution information of scheduled tasks and add only the specified instances to the scheduled tasks.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/*" ], "Effect": "Allow" } ] }
You can specify instance IDs and task IDs in the Resource list to limit the permissions on specific instances and tasks. The following sample policy allows the RAM users to modify the execution information only of the specified tasks and add only the specified instances to the scheduled tasks.
{ "Version": "1", "Statement": [ { "Action": "ecs:ModifyInvocationAttribute", "Resource": [ "acs:ecs:*:*:instance/i-instance-xxx", "acs:ecs:*:*:invocation/task-xxx" ], "Effect": "Allow" } ] }
Permissions to stop running commands
API operation: StopInvocation
After you attach the following sample policy to RAM users, the RAM users have the permissions to stop running commands on any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to stop running commands on the specific instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:StopInvocation" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
File uploading-specific sample custom policies
Permissions to upload on-premises files
API operation: SendFile
After you attach the following sample policy to RAM users, the RAM users have the permissions to upload on-premises files to any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to upload on-premises files to the specific instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:SendFile" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query the results of file upload operations
API operation: DescribeSendFileResults
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the results of file upload operations to any instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to query the results of file upload operations to the specific instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeSendFileResults" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Operation Content and Result Delivery-specific sample custom policies
Permissions to query and modify the Operation Content and Result Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
Permissions to query the Operation Content and Result Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/cloudassistantdeliverysettings"
]
}
]
}
Region-specific permissions on Operation Content and Result Delivery
You can specify region IDs in the Resource list to limit the regional permissions of RAM users.
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Operation Content and Result Delivery settings within the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings", "ecs:UpdateServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Operation Content and Result Delivery settings within the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/cloudassistantdeliverysettings" ] } ] }
Permissions to query and modify the Session Record Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query and modify the Session Record Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings",
"ecs:UpdateServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}
Permissions to query the Session Record Delivery settings
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:ListServiceSettings"
],
"Resource": [
"acs:ecs:*:*:servicesettings/sessionmanagerdeliverysettings"
]
}
]
}
Region-specific permissions on Session Record Delivery
You can specify region IDs in the Resource list to limit the regional permissions of RAM users.
The following sample policy allows RAM users to query and modify the Session Record Delivery settings within the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings", "ecs:UpdateServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the Session Record Delivery settings within the China (Hangzhou) region.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:ListServiceSettings" ], "Resource": [ "acs:ecs:cn-hangzhou:*:servicesettings/sessionmanagerdeliverysettings" ] } ] }
Permissions to query OSS buckets
When you deliver O&M task execution records or session records to Object Storage Service (OSS) as a RAM user, you must grant the RAM user the permissions to query OSS buckets.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets"
],
"Resource": "*"
}
]
}
After you deliver O&M task execution records or session records to OSS, you must learn about RAM policies on OSS for query and analysis purposes. For more information, see Overview and Common examples of RAM policies.
Permissions to query Log Service projects and Logstores
When you deliver O&M task execution records or session records to Log Service as a RAM user, you must grant the RAM user the permissions to query Log Service projects and Logstores.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"log:ListProject",
"log:ListLogStores"
],
"Resource": "*"
}
]
}
After you deliver O&M task execution records or session records to Log Service, you must learn about RAM policies on Log Service for query and analysis purposes. For more information, see Overview.
Managed instance-specific sample custom policies
Permissions to deregister managed instances
API operation: DeregisterManagedInstance
After you attach the following sample policy to RAM users, the RAM users have the permissions to deregister managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to deregister the specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeregisterManagedInstance" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to query managed instances
API operation: DescribeManagedInstances
After you attach the following sample policy to RAM users, the RAM users have the permissions to query managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/*" ] } ] }
You can specify command IDs in the Resource list to limit the permissions on specific instances. The following sample policy allows the RAM users to query the information about the specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeManagedInstances" ], "Resource": [ "acs:ecs:*:*:instance/i-instancexxx00a", "acs:ecs:*:*:instance/i-instancexxx00b" ] } ] }
Permissions to create activation codes
API operation: CreateActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to create activation codes and use them to register servers that are not provided by Alibaba Cloud as Alibaba Cloud managed instances.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:CreateActivation"
],
"Resource": [
"acs:ecs:*:*:activation/*"
]
}
]
}
Permissions to disable activation codes
API operation: DisableActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to disable any activation code that is used to register an Alibaba Cloud managed instance.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to disable the activation codes of the specified managed instances.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DisableActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Permissions to query activation codes
API operation: DescribeActivations
After you attach the following sample policy to RAM users, the RAM users have the permissions to query the created activation codes and their usage.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions to specific instances. The following sample policy allows the RAM users to query activation codes of the specified managed instances and the usage of the activation codes.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeActivations" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }
Permissions to delete activation codes
API operation: DeleteActivation
After you attach the following sample policy to RAM users, the RAM users have the permissions to delete the activation codes that are not used.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*" ] } ] }
You can specify instance IDs in the Resource list to limit the permissions to specific activation codes. The following sample policy allows the RAM users to delete the activation codes that are not used.
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DeleteActivation" ], "Resource": [ "acs:ecs:*:*:activation/*****-*****A", "acs:ecs:*:*:activation/*****-*****B" ] } ] }