All Products
Search
Document Center

Enterprise Distributed Application Service:Use tags to implement access control on resources

Last Updated:Feb 01, 2024

After you add tags to applications and clusters in Enterprise Distributed Application Service (EDAS), you can use the tags to implement access control on these applications and clusters. This topic describes how to attach a Resource Access Management (RAM) policy to RAM users and then use tags to manage their permissions on resources. In this example, applications are used.

Prerequisites

Background information

Alibaba Cloud implements policy-based access control. You can configure RAM policies based on the roles of RAM users. You can define multiple tags in each policy and attach one or more policies to RAM users or RAM user groups. If you want to determine the resources that a RAM user can access, you can create a custom policy and specify tags in the policy.

You must use RAM instead of the permission control system of EDAS if you want to use tags to implement access control. For more information about permission control, see Permission management.

In this example, three applications are deployed in EDAS. The applications are deployed in different environments and are intended for different projects. Therefore, the following tags are added to these applications:

app-001:
    Environment=TEST  #Test environment
    Team=team1       #Project 1
app-002:
    Environment=DEV   #Development environment
    Team=team1       #Project 1
app-003:
    Environment=PROD  #Production environment
    Team=team2       #Project 2

In this example, three RAM users are created: User 1, User 2, and User 3. You can grant the RAM users different permissions on resources based on the principle of least privilege. For example, you can grant the RAM users permissions based on the following policy:

  • Grant User 1 the permissions to manage all applications in the development and test environments.

  • Grant User 2 the permissions to manage all applications for Project 1 in the test environment.

  • Grant User 3 the permissions to manage all applications except for those in the production environment.

To meet the preceding requirements, you can create a custom policy and specify tags in the policy.

Create a custom policy that contains tags

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Policies

  3. On the Policies page, click Create Policy.

  4. On the Create Policy page, click the JSON tab.

  5. In the code editor, enter a custom policy and click Next to edit policy information.

    The following example shows three code blocks for the policy that meets the preceding requirements:

    • Grant User 1 the permissions to manage all applications in the development and test environments.

      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Environment": ["DEV", "TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 2 the permissions to manage all applications for Project 1 in the test environment.

      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Team": ["team1"],
                "edas:tag/Environment": ["TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 3 the permissions to manage all applications except for those in the production environment.

      {
        "Statement": [
          {
            "Action": "edas:ReadApplication",
            "Effect": "Allow",
            "Resource": "*"
          },
          {
            "Action": "edas:ReadApplication",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Environment": ["PROD"]
              }
            }
          }
        ],
        "Version": "1"
      }
  6. Configure the Name and Description parameters for the policy, check the policy content in the Policy document section, and then click OK.

    After the custom policy is created, the policy is displayed in the policy list.

Attach the custom policy to RAM users

  1. Log on to the RAM console with an Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the RAM user that you want to manage and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, select Alibaba Cloud Account as Authorized Scope.

  5. In the Add Permissions panel, click Custom Policy in the Select Policy section. Then, search for the custom policy that you created, select the policy, and then click OK.

    添加权限

  6. In the Add Permissions panel, confirm the authorization information and click Complete.

Access resources as a RAM user

Log on to the EDAS console as a RAM user and check whether you can access resources as expected.