After you add tags to applications and clusters in Enterprise Distributed Application Service (EDAS), you can use the tags to enforce access control on these applications and clusters. This topic provides an example on how to attach a Resource Access Management (RAM) policy to RAM users and then use tags to limit their permissions on resources.

Prerequisites

Background information

Alibaba Cloud enforces policy-based access control. You can configure RAM permission policies based on the roles of RAM users. You can define one or more tags in each permission policy and attach one or more permission policies to each RAM user or user group. If you want to manage which resources a RAM user can access, you can create a custom permission policy and add tags to the policy.

You must use RAM instead of the permission control system of EDAS if you want to use tags to manage access control. For more information about permission control, see Overview.

In this example, three applications are deployed in EDAS. The applications are deployed in different environments and are intended for different projects. Therefore, the following tags are added to these applications:
app-001:
    Enviroment=TEST  #Staging environment
    Team=team1       #Project 1
app-002:
    Enviroment=DEV   #Development environment
    Team=team1       #Project 1
app-003:
    Enviroment=PROD  #Production environment
    Team=team2       #Project 2
In this example, three RAM users are created: User 1, User 2, and User 3. You can grant the following permissions to the RAM users based on the principle of least privilege:
  • Grant User 1 the permissions to manage all applications in the development and staging environments.
  • Grant User 2 the permissions to manage all applications for Project 1 in the staging environment.
  • Grant User 3 the permissions to manage all applications except for those in the production environment.

To meet the preceding requirements, you can create a custom permission policy and add tags to the policy.

Create a custom permission policy that contains tags

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, specify Policy Name and Note, and click Script. Then, enter the content of the permission policy in the Policy Document field and click OK.
    新建自定义权限策略
    Parameter Description
    Policy Name Enter a name for the custom permission policy.
    Note Specify the purpose and scope of the custom permission policy.
    Configuration Mode Only Script can be selected.
    Policy Document Enter the content of the custom permission policy.
    The following example shows the content of the permission policy that meets the preceding requirements:
    • Grant User 1 the permissions to manage all applications in the development and staging environments.
      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Enviroment": ["DEV", "TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 2 the permissions to manage all applications for Project 1 in the staging environment.
      {
        "Statement": [
          {
            "Action": "edas:ManageApplication",
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Team": ["team1"],
                "edas:tag/Enviroment": ["TEST"]
              }
            }
          }
        ],
        "Version": "1"
      }
    • Grant User 3 the permissions to manage all applications except for those in the production environment.
      {
        "Statement": [
          {
            "Action": "edas:ReadApplication",
            "Effect": "Allow",
            "Resource": "*"
          },
          {
            "Action": "edas:ReadApplication",
            "Effect": "Deny",
            "Resource": "*",
            "Condition": {
              "StringEquals": {
                "edas:tag/Enviroment": ["PROD"]
              }
            }
          }
        ],
        "Version": "1"
      }
    After the custom permission policy is created, it is displayed in the policies list.

Attach the custom permission policy to RAM users

  1. Use your Alibaba Cloud account to log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the page that appears, find the RAM user that you want to manage and click Add Permissions in the Actions column.
  4. In the Add Permissions pane, click Alibaba Cloud account all resources in the Authorization section.
  5. In the Add Permissions panel, click Custom Policy in the Select Policy section. Then, search for the custom permission policy that you created, select it, and click OK.
    添加权限
  6. In the Add Permissions pane, confirm the authorization information and click Complete.

Access resources as a RAM user

Log on to the EDAS console as a RAM user and check whether you can access the required resources.