This topic describes how to customize RAM policies.

Prerequisites

You have a basic knowledge of the policy elements, structure, and syntax. For more information, see Policy structure and syntax.

Procedure

  1. Log on to the Resource Access Management (RAM) console with your Alibaba Cloud account or as an authorized RAM user.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. Configure the permission to access Alibaba Cloud Service Mesh (ASM) instances.
    1. On the Policies page, click Create Policy.
    2. On the Create Custom Policy page, enter a policy name, such as ASMPolicy1, and select Script for the Configuration Mode parameter.
    3. In the Policy Document section, configure your policy in the editor. Then, click OK.
      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "servicemesh:*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "ecs:CreateSecurityGroup",
                      "ecs:CreateSecurityGroupPermissions",
                      "ecs:DeleteSecurityGroup",
                      "ecs:DescribeAccountAttributes",
                      "ecs:DescribeSecurityGroups",
                      "ecs:AuthorizeSecurityGroup",
                      "ecs:RevokeSecurityGroup",
                      "ecs:AuthorizeSecurityGroupEgress",
                      "ecs:JoinSecurityGroup",
                      "ecs:LeaveSecurityGroup",
                      "ecs:UnassociateEipAddress",
                      "ecs:ReleaseEipAddress",
                      "ecs:RevokeSecurityGroupEgress",
                      "ecs:DescribeInstances",
                      "ecs:DescribeNetworkInterfaces"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "vpc:DescribeVpcs",
                      "vpc:DescribeVSwitches",
                      "vpc:DescribeEipAddresses",
                      "vpc:DescribeNetworkQuotas",
                      "vpc:AllocateEipAddress",
                      "vpc:AssociateEipAddress",
                      "vpc:UnassociateEipAddress",
                      "vpc:ReleaseEipAddress",
                      "vpc:DeletionProtection",
                      "vpc:DescribeVpcAttribute"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "slb:DescribeLoadBalancerAttribute",
                      "slb:CreateLoadBalancer",
                      "slb:DeleteLoadBalancer",
                      "slb:RemoveBackendServers",
                      "slb:StartLoadBalancerListener",
                      "slb:StopLoadBalancerListener",
                      "slb:CreateLoadBalancerTCPListener",
                      "slb:AddBackendServers",
                      "slb:CreateVServerGroup",
                      "slb:CreateLoadBalancerHTTPSListener",
                      "slb:CreateLoadBalancerUDPListener",
                      "slb:ModifyLoadBalancerInternetSpec",
                      "slb:SetBackendServers",
                      "slb:AddVServerGroupBackendServers",
                      "slb:DeleteVServerGroup",
                      "slb:ModifyVServerGroupBackendServers",
                      "slb:CreateLoadBalancerHTTPListener",
                      "slb:RemoveVServerGroupBackendServers",
                      "slb:DeleteLoadBalancerListener",
                      "slb:AddTags",
                      "slb:RemoveTags",
                      "slb:SetLoadBalancerDeleteProtection"
                  ],
                  "Resource": [
                      "*"
                  ],
                  "Effect": "Allow"
              },
              {
                  "Action": "xtrace:GetToken",
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "cen:DescribeCenAttachedChildInstances",
                      "cen:DescribeCens"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "arms:ListClusterFromGrafana",
                      "arms:GetPrometheusApiToken",
                      "arms:Get*"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "log:GetProject"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
          ]
      }
  4. Configure the permissions to manage Container Service for Kubernetes (ACK) clusters that are added to ASM instances.
    1. On the Policies page, click Create Policy.
    2. On the Create Custom Policy page, enter a policy name, such as ASMPolicy2, and select Script for the Configuration Mode parameter.
    3. In the Policy Document section, configure your policy in the editor.
      Notice ACK clusters may need to be added to or removed from ASM instances. To manage ACK clusters, you must configure the required permissions. In the following sample code, you can set Resource in the "Action": "cs:Get*"/"Effect": "Allow" block to "acs:cs:*:*:cluster/{ID of a cluster}" to grant permissions on the specified ACK cluster. You can also enter "acs:cs:*:*:cluster/*" to grant permissions on all ACK clusters.
      {
          "Version": "1",
          "Statement": [
              {            
                  "Action": "cs:Get*",            
                  "Effect": "Allow",            
                  "Resource": [                
                      "acs:cs:*:*:cluster/{ID of an ACK cluster or *}"            
                  ]        
              }
          ]
      }
    4. After the configuration is completed, click OK.
      On the Policies page, you can enter the policy name or note in the search box to find your custom policy.