RAM users are virtual accounts whose permission levels are determined by RAM policies. This allows you to implement more secure and controllable access policies, reducing the risk of disclosing the AccessKey pair of your Alibaba Cloud account. You can use an Alibaba Cloud account to create custom policies to define permissions on API operations, ECS instances, or Cloud Assistant scripts, and attach the policies to RAM users.

Background information

This topic describes how to grant the following permissions to RAM users:
  • The permission to call Cloud Assistant API operations
  • The permission to run specified Cloud Assistant scripts
  • The permission to call Cloud Assistant API operations in specified regions
  • The permission to call Cloud Assistant API operations on specified ECS instances

Procedure

  1. Use your Alibaba Cloud account to create a RAM user.
    For more information, see Create a RAM user.
  2. Use your Alibaba Cloud account to create a custom policy.
    For more information, see Create a custom policy. For more information about example custom policies on Cloud Assistant, see the following sections.
  3. Use your Alibaba Cloud account to attach the policy to the created RAM user.
    For more information, see Grant permissions to a RAM user.
    • Attach the created custom policy
    • Attach the system policies provided by Alibaba Cloud
  4. Check whether the RAM user is authorized to log on to the Alibaba Cloud Management console.
    If a RAM user does not have the Console Access permission, the RAM user can use Cloud Assistant only by calling API operations. For more information, see View the permissions of a RAM user.
  5. Log on to the Alibaba Cloud Management console as the RAM user.
    For more information, see Log on to the console as a RAM user.
  6. Log on to the ECS console as the RAM user, go to the Cloud Assistant page, and use Cloud Assistant.

Administrator (read and write) permissions on Cloud Assistant

After a RAM user is granted with the following permissions, it has all the query and management permissions of Cloud Assistant APIs.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:CreateCommand",
                "ecs:DescribeCommands",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StopInvocation",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Read-only permissions on Cloud Assistant

After a RAM user is granted with the following permissions, it can query Cloud Assistant scripts, script records, script details, and ECS instance status. However, it cannot create, run, or modify scripts.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:DescribeTagKeys",
                "ecs:DescribeTags",
                "ecs:DescribeCommands",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:DescribeCloudAssistantStatus",
            ],
            "Resource": [
                "acs:ecs:*:*:instance/*",
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to query the installation status of the Cloud Assistant client

API operation: DescribeCloudAssistantStatus

  • After a RAM user is granted with the following permissions, it can query the installation status of the Cloud Assistant client on all ECS instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus",
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can query the installation status of the Cloud Assistant client only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeInstances",
                    "ecs:DescribeCloudAssistantStatus",
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx000a",
                    "acs:ecs:*:*:instance/i-instancexxx000b"
                ]
            }
        ]
    }

Permissions to view Cloud Assistant scripts

API operation: DescribeCommands

  • After a RAM user is granted with the following permissions, it can view all the Cloud Assistant scripts.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify script IDs in the Resource list. After a RAM user is granted with the following permissions, it can view only the specified scripts.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DescribeCommands"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b",
                ]
            }
        ]
    }

Permissions to delete Cloud Assistant scripts

API operation: DeleteCommand

  • After a RAM user is granted with the following permissions, it can delete all Cloud Assistant scripts.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify script IDs in the Resource list. After a RAM user is granted with the following permissions, it can delete only the specified scripts.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:DeleteCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx000a",
                    "acs:ecs:*:*:command/c-commandxxx000b",
                ]
            }
        ]
    }

Permissions to create Cloud Assistant scripts

API operation: CreateCommand

After a RAM user is granted with the following permissions, it can create Cloud Assistant scripts.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:CreateCommand"
            ],
            "Resource": [
                "acs:ecs:*:*:command/*"
            ]
        }
    ]
}

Permissions to run scripts

API operation: InvokeCommand

  • After a RAM user is granted with the following permissions, it can run scripts on all instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/*",
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list. After the RAM user is granted with the following permissions, it can run scripts only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/*",
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }
  • You can specify script IDs in the Resource list. After a RAM user is granted with the following permissions, it can run only the specified scripts on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b",
                    "acs:ecs:*:*:instance/*",
                ]
            }
        ]
    }
  • You can specify both scripts IDs and instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can run only specific scripts on specific instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:InvokeCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions for immediate script execution

API operation: RunCommand

  • After a RAM user is granted with the following permissions, it can create and run scripts simultaneously on any instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can create and run scripts simultaneously only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: RunCommand"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }

Permissions to query execution results

API operation: DescribeInvocations

  • After a RAM user is granted with the following permission, it can query execution results on any instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can query execution results only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/*"
                ]
            }
        ]
    }
  • You can specify task IDs in the Resource list. After a RAM user is granted with the following permissions, it can query execution results only of the specified tasks on instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }
  • You can specify both task IDs and instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can query execution results only of specific tasks on specific instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b",
                    "acs:ecs:*:*:command/c-commandxxx00a",
                    "acs:ecs:*:*:command/c-commandxxx00b"
                ]
            }
        ]
    }

Permissions to stop scripts

API operation: StopInvocation

  • After a RAM user is granted with the following permissions, it can stop running scripts on any instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/*"
                ]
            }
        ]
    }
  • You can specify instance IDs in the Resource list. After a RAM user is granted with the following permissions, it can stop running scripts only on the specified instances.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ecs: DescribeInvocations"
                ],
                "Resource": [
                    "acs:ecs:*:*:instance/i-instancexxx00a",
                    "acs:ecs:*:*:instance/i-instancexxx00b"
                ]
            }
        ]
    }

Permissions to configure regional limits

You can specify region fields in the Resource list to restrict regional permissions of RAM users. For example, you can specify that a RAM user can use Cloud Assistant only within the China (Hangzhou) region.

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DescribeInstances",
                "ecs:CreateCommand",
                "ecs:DescribeCommands",
                "ecs:InvokeCommand",
                "ecs:RunCommand",
                "ecs:DeleteCommand",
                "ecs:DescribeInvocations",
                "ecs:DescribeInvocationResults",
                "ecs:StopInvocation",
                "ecs:DescribeCloudAssistantStatus",
                "ecs:InstallCloudAssistant"
            ],
            "Resource": [
                "acs:ecs:cn-hangzhou:*:command/*",
                "acs:ecs:cn-hangzhou:*:instance/*",
            ]
        }
    ]
}