Before you access Image Search as a RAM user, you must grant permissions to the RAM user. This topic describes how to grant a RAM user the permission to access Image Search.

Background information

Resource Access Management (RAM) is an identity and access control service that is provided by Alibaba Cloud. RAM allows you to create and manage RAM users, such as individuals, systems, and applications. You can manage permissions of RAM users to control access to Alibaba Cloud resources. If multiple users in your enterprise need to access the same resources, you can use RAM to grant the minimum permissions to these users. This eliminates the need to share the AccessKey pair of your Alibaba Cloud account with these users and reduces security risks.

Overview

Before you access Image Search as a RAM user, you must grant permissions to the RAM user. You can grant permissions by using the following policies:
  • General policies
  • Custom policies
We recommend that you attach general policies to RAM users. This avoids complex configuration. If general policies cannot meet your business needs, you can create custom policies.

Regions that support RAM user authorization

The following table lists the regions in which you can grant permissions to RAM users of Image Search.
Region RegionId
China (Shanghai) cn-shanghai
Singapore (Singapore) ap-southeast-1
China (Hong Kong) cn-hongkong
Japan (Tokyo) ap-northeast-1
Germany (Frankfurt) eu-central-1

General policies

Image Search provides the following two types of general policies. You can select the general policies based on your business needs.
  • AliyunImagesearchReadOnlyAccess: the read-only permission to access Image Search. This permission can be granted to read-only users.
  • AliyunImagesearchFullAccess: the permission to manage Image Search. This permission can be granted to administrators.
  1. Log on to RAM console.
  2. In the left-side navigation pane, click Grants under Permissions.
  3. Click Grant Permission.
    Grant permissions
  4. In the Principal section, enter the name or ID of the RAM user to search for the RAM user. Then, select the RAM user.
  5. In the Authorization Policy Name column on the left side, click the policies that you want to attach to the RAM user.
    Image Search provides the following two types of general policies. You can select the general policies based on your business needs.
    • AliyunImagesearchReadOnlyAccess: the read-only permission to access Image Search. This permission can be granted to read-only users.
    • AliyunImagesearchFullAccess: the permission to manage Image Search. This permission can be granted to administrators.
    RAM authorization - general policies

Custom policies

Image Search supports only instances as the resource type. You must specify resources in policies in the following ways:
  • Resource type: instance
  • Format in which resources are specified in authorization policies: acs:imagesearch:$regionid:$accountid:instance/$instance
    • $regionid: the ID of the region where Image Search resides. If this option is not required, you can use an asterisk (*) as a wildcard character.
    • $accountid: the ID of the Alibaba Cloud account, such as 123456789012****. If no ID is required or available, you can use an asterisk (*) instead.
    • $instance: the name of the instance, such as demo123. If no instance name is required or available, you can use an asterisk (*) instead.
Table 1. Action permissions on different resources
Resource Actions
instance/* The following action permissions are described:
  • ClearInstance: clears all the instances.
  • DescribeInstance: views the details of an instance.
  • IncreaseInstance: increases one instance.
  • InitInstance: initializes an instance.
  • RemoveInstance: deletes an instance.
  • ListInstance: views the instance list.
  • SearchItem: searches for products or images.
  • DeleteItem: deletes products or images.
  • AddItem: adds products or images.
  • ListIncrement: views the increased instance.
  • TagResources: attaches a tag to a specific resource.
  • UntagResources: detaches a tag from a specific resource.
instance/$instance The following action permissions are described:
  • ClearInstance: clears all the instances.
  • DescribeInstance: views the details of an instance.
  • IncreaseInstance: increases one instance.
  • InitInstance: initializes an instance.
  • RemoveInstance: deletes an instance.
  • SearchItem: searches for products or images.
  • DeleteItem: deletes products or images.
  • AddItem: adds products or images.
  • ListIncrement: views the increased instance.
  • TagResources: attaches a tag to a specific resource.
  • UntagResources: detaches a tag from a specific resource.
  1. Log on to RAM console.
  2. In the left-side navigation pane, click Policies under Permissions.
  3. On the Policies page, click Create Policy.
    Create policies
  4. On the Create Custom Policy page, specify the parameters to create a custom policy.
    In the Policy Name field, enter a policy name, for example, Imagesearch_ram. In the Note field, enter the description of the policy. Set the Configuration Mode parameter to Script, and enter the content of the policy.RAM authorization - custom policy
  5. In the left-side navigation pane, click Grants under Permissions.
  6. Click Grant Permission.
    Grant permissions
  7. In the Principal section, enter the name or ID of the RAM user to search for the RAM user. Then, select the RAM user.
  8. In the Authorization Policy Name column on the left side, click the policies that you want to attach to the RAM user.
    The following figure shows how to attach the policy named imagesearch_ram to the RAM user.RAM authorization - add a custom policy

Examples of custom policies

  • Example 1
    In this example, the policy must meet the following requirements:
    • The ID of the Alibaba Cloud account is 1234.
    • The region is China (Shanghai).
    • All the instances can be accessed.
    • All the permissions except the permissions to clear and delete instances are to be granted in the Image Search console.
    • The specified IP address can connect to the RAM user.
    The following policy content is provided:
    {
      "Statement": [
       {
         "Action": [
           "imagesearch:ListInstance",
           "imagesearch:DescribeInstance",
           "imagesearch:IncreaseInstance",
           "imagesearch:InitInstance",
           "imagesearch:ListIncrement"
         ],
         "Condition": {
           "IpAddress": {
             "acs:SourceIp": "xxx.xx.xxx.x/xx"
           }
         },
         "Effect": "Allow",
         "Resource": "acs:imagesearch:cn-shanghai:1234:instance/*"
       }
      ],
      "Version": "1"
    }
  • Example 2
    In this example, the policy must meet the following requirements:
    • The ID of the Alibaba Cloud account is 1234.
    • All the regions are supported.
    • All the instances can be accessed.
    • All the permissions to perform operations in the console or call all the API operations are to be granted.
    The following policy content is provided:
    {
      "Statement": [
       {
         "Action": [
             "imagesearch:*"
               ],
         "Effect": "Allow",
         "Resource": "acs:imagesearch:*:1234:instance/*"
       }
      ],
      "Version": "1"
    }
  • Example 3
    In this example, the policy must meet the following requirements:
    • The ID of the Alibaba Cloud account is 1234.
    • All the regions are supported.
    • The instance name is instance12138.
    • All the permissions to perform operations are to be granted.
    The following policy content is provided:
    {
      "Statement": [
       {
         "Action": [
             "imagesearch:*",
               ],
         "Effect": "Allow",
         "Resource": "acs:imagesearch:*:1234:instance/instance12138"
       }
      ],
      "Version": "1"
    }