All Products
Search
Document Center

Elastic Compute Service:Run Cloud Assistant commands as a regular user

Last Updated:Dec 25, 2023

For security purposes, we recommend that you run Cloud Assistant commands as a regular user (non-root or non-system user) based on the principle of least privilege. This topic describes how to configure a Resource Access Management (RAM) user to run Cloud Assistant commands as a regular user.

Prerequisites

Regular users are created for the Elastic Compute Service (ECS) instance. In this topic, regular users user01 and user02 are used.

Background information

If you do not configure specific permissions when you run a Cloud Assistant command, the command is run based on the highest level of permissions on instances. By default, Cloud Assistant commands are run by the root user on Linux instances and by the system user on Windows instances.

To ensure information security, we recommend that you restrict the use of the root user or system user on ECS instances. You can create a RAM user and attach policies to the RAM user that deny the root user or system user to run Cloud Assistant commands on ECS instances and policies that allow specific users, such as user01 and user02, to run Cloud Assistant commands on ECS instances.

Run Cloud Assistant commands on Linux instances as a regular user

If you want to run Cloud Assistant commands only on Linux instances, you can perform the following operations to restrict a RAM user from running Cloud Assistant commands as the root user:

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. Create a RAM user. For more information, see Create a RAM user.

    The following table describes the parameters that are required to create a RAM user.

    Parameter

    Example

    Logon Name

    commandUser

    Display Name

    commandUser

    Access Mode

    You can use Cloud Assistant by using the Alibaba Cloud Management Console or by calling API operations. In this example, select Console Access and OpenAPI Access.

    Note

    You can select an access mode based on your business requirements to conform to the principle of least privilege.

    Set Logon Password

    Select Automatically Regenerate Default Password.

    Password Reset

    Select Required at Next Logon.

    Enable MFA

    Select Not Required.

    After you create a RAM user, record the username, password, and AccessKey pair of the RAM user.

  3. Create a policy that includes permissions on Cloud Assistant. For more information, see Create custom policies.

    ram用户权限设置

    Create a policy named commandUserPolicy to allow or deny users to run Cloud Assistant commands on ECS instances. The following section describes example policies. You can modify the policies based on your business requirements.

    • Policy that allows specific regular users, such as user01 and user02, to run Cloud Assistant commands on ECS instances:

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:DescribeInstances",
                      "ecs:DescribeTagKeys",
                      "ecs:DescribeTags",
                      "ecs:CreateCommand",
                      "ecs:DescribeCommands",
                      "ecs:InvokeCommand",
                      "ecs:RunCommand",
                      "ecs:DeleteCommand",
                      "ecs:DescribeInvocations",
                      "ecs:DescribeInvocationResults",
                      "ecs:StopInvocation",
                      "ecs:DescribeCloudAssistantStatus",
                      "ecs:InstallCloudAssistant"
                  ],
                  "Resource": [
                      "acs:ecs:*:*:instance/*",
                      "acs:ecs:*:*:command/*"
                  ],
                  "Condition": {
                      "StringEquals": {
                          "ecs:CommandRunAs": [
                              "user01",
                              "user02"
                          ]
                      }
                  }
              }
          ],
          "Version": "1"
      }
      Note

      If you want to allow other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.

    • Policy that denies specific users, such as the root user or system user, to run Cloud Assistant commands on ECS instances:

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "ecs:DescribeInstances",
                      "ecs:DescribeTagKeys",
                      "ecs:DescribeTags",
                      "ecs:CreateCommand",
                      "ecs:DescribeCommands",
                      "ecs:InvokeCommand",
                      "ecs:RunCommand",
                      "ecs:DeleteCommand",
                      "ecs:DescribeInvocations",
                      "ecs:DescribeInvocationResults",
                      "ecs:StopInvocation",
                      "ecs:DescribeCloudAssistantStatus",
                      "ecs:InstallCloudAssistant"
                  ],
                  "Resource": [
                      "acs:ecs:*:*:instance/*",
                      "acs:ecs:*:*:command/*"
                  ],
                  "Condition": {
                      "StringNotEqualsIgnoreCase": {
                          "ecs:CommandRunAs": [
                              "system",
                              "root"
                          ]
                      }
                  }
              }
          ],
          "Version": "1"
      }
      Note

      If you want to deny other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.

  4. Grant the ECS read-only permissions and Cloud Assistant permissions to the RAM user. For more information, see Grant permissions to a RAM user.

    授权

    • To grant the read-only permissions on ECS to the RAM user, select AliyunECSReadOnlyAccess on the System Policy tab.

    • To grant the Cloud Assistant permissions to the RAM user, select the commandUserPolicy policy that you created in the previous step on the Custom Policy tab.

  5. Log on to the Alibaba Cloud Management Console as the RAM user.

  6. Run a Cloud Assistant command and verify the result. For more information, see Use the immediate execution feature.

    • The following figure shows the procedure that is performed in the ECS console. You must configure the Username parameter.使用云助手创建命令

      user01 can run the Cloud Assistant command, and an error is reported when the root user runs the command.

    • The following figure shows the procedure that is performed by using the CLI. user01 can run the Cloud Assistant command, and an error is reported when the root user runs the command.cli结果

Run Cloud Assistant commands on Windows instances as a regular user

To run Cloud Assistant commands on Windows instances, you must specify a username and a password. To ensure data security, you must host your logon password in CloudOps Orchestration Service (OOS) and perform encryption by using Key Management Service (KMS). For more information, see Introduction to OOS and What is Key Management Service?

You can perform the following operations to restrict a RAM user from running Cloud Assistant commands as the root user or system user.

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. Create a RAM user. For more information, see Create a RAM user.

    The following table describes the parameters that are required to create a RAM user.

    Parameter

    Example

    Logon Name

    commandUser

    Display Name

    commandUser

    Access Mode

    You can use Cloud Assistant by using the Alibaba Cloud Management Console or by calling API operations. In this example, select Console Access and OpenAPI Access.

    Note

    You can select an access mode based on your business requirements to conform to the principle of least privilege.

    Set Logon Password

    Select Automatically Regenerate Default Password.

    Password Reset

    Select Required at Next Logon.

    Enable MFA

    Select Not Required.

    After you create a RAM user, record the username, password, and AccessKey pair of the RAM user.

  3. Create policies that include permissions on Cloud Assistant and on KMS. For more information, see Create custom policies.

    • Policy that includes permissions on Cloud Assistant:

      Create a policy named commandUserPolicy to allow or deny users to run Cloud Assistant commands on ECS instances. The following section describes example policies. You can modify the policies based on your business requirements.

      • Policy that allows specific regular users, such as user01 and user02, to run Cloud Assistant commands on ECS instances:

        {
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "ecs:DescribeInstances",
                        "ecs:DescribeTagKeys",
                        "ecs:DescribeTags",
                        "ecs:CreateCommand",
                        "ecs:DescribeCommands",
                        "ecs:InvokeCommand",
                        "ecs:RunCommand",
                        "ecs:DeleteCommand",
                        "ecs:DescribeInvocations",
                        "ecs:DescribeInvocationResults",
                        "ecs:StopInvocation",
                        "ecs:DescribeCloudAssistantStatus",
                        "ecs:InstallCloudAssistant"
                    ],
                    "Resource": [
                        "acs:ecs:*:*:instance/*",
                        "acs:ecs:*:*:command/*"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "ecs:CommandRunAs": [
                                "user01",
                                "user02"
                            ]
                        }
                    }
                }
            ],
            "Version": "1"
        }
        Note

        If you want to allow other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.

      • Policy that denies specific users, such as the root user or system user, to run Cloud Assistant commands on ECS instances:

        {
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "ecs:DescribeInstances",
                        "ecs:DescribeTagKeys",
                        "ecs:DescribeTags",
                        "ecs:CreateCommand",
                        "ecs:DescribeCommands",
                        "ecs:InvokeCommand",
                        "ecs:RunCommand",
                        "ecs:DeleteCommand",
                        "ecs:DescribeInvocations",
                        "ecs:DescribeInvocationResults",
                        "ecs:StopInvocation",
                        "ecs:DescribeCloudAssistantStatus",
                        "ecs:InstallCloudAssistant"
                    ],
                    "Resource": [
                        "acs:ecs:*:*:instance/*",
                        "acs:ecs:*:*:command/*"
                    ],
                    "Condition": {
                        "StringNotEqualsIgnoreCase": {
                            "ecs:CommandRunAs": [
                                "system",
                                "root"
                            ]
                        }
                    }
                }
            ],
            "Version": "1"
        }
        Note

        If you want to deny other users to run Cloud Assistant commands on ECS instances, you can modify or add usernames in the Condition element.

    • Policy that includes permissions on KMS:

      Create a policy named kmsPolicy that contains the following content. For more information, see Use RAM to control access to KMS resources.

      {
        "Version": "1",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "kms:List*", "kms:Describe*",
              "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey"
            ],
            "Resource": [
              "*"
            ]
          }
        ]
      }             
  4. Grant permissions on ECS, OOS, Cloud Assistant, and KMS to the RAM user. For more information, see Grant permissions to a RAM user.

    win权限

    • To grant the read-only permissions on ECS to the RAM user, select AliyunECSReadOnlyAccess on the System Policy tab.

    • To grant the read-only permissions on OOS to the RAM user, select AliyunOOSReadOnlyAccess on the System Policy tab.

    • To grant the permissions on Cloud Assistant to the RAM user, select the commandUserPolicy policy that you created in the previous step on the Custom Policy tab.

    • To grant the permissions on KMS to the RAM user, select the kmsPolicy policy that you created in the previous step on the Custom Policy tab.

  5. Configure a RAM role for the Windows instance.

    1. Create a policy. For more information, see Create custom policies.

      Example policy:

      {
          "Version": "1",
          "Statement": [
              {
                  "Action": [
                      "kms:GetSecretValue"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": [
                      "oos:GetSecretParameter"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ]
      }
    2. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud service.

      The following table describes the parameters that are required to create a RAM role.

      Parameter

      Example

      Select Trusted Entity

      Select Alibaba Cloud Service.

      Role Type

      Select Normal Service Role.

      RAM Role Name

      AxtSecretRamRole

      Select Trusted Service

      Select Elastic Compute Service from the drop-down list.

    3. Grant permissions to the RAM role. For more information, see Grant permissions to a RAM role.

    4. Attach the RAM role to the ECS instance. For more information, see Attach an instance RAM role to an ECS instance.

  6. Create encryption parameters in OOS to host the logon passwords for the Windows instance. For more information, see Create encryption parameters in Manage encryption parameters.

    Note

    The encryption parameters must be located in the same region as the ECS instance. Otherwise, the logon password for the ECS instance cannot be hosted in OOS.

    The following table describes how to create an encryption parameter to host the password of a user. In this example, user01 is used.

    Parameter

    Example

    Parameter Name

    axtSecretPassword

    KMS Key ID

    Select Default Service CMK.

    Value

    The logon password for the Windows instance. In this example, enter the logon password of user01.

  7. Log on to the Alibaba Cloud Management Console as the RAM user.

  8. Run a Cloud Assistant command and verify the result. For more information, see Use the immediate execution feature.

    Run a Cloud Assistant command on the Windows instance and check whether the permission settings take effect.

    • The following figure shows the procedure that is performed in the ECS console. You must specify the username and password parameters.windows创建云助手命令

      user01 can run the Cloud Assistant command, and an error is reported when the system user runs the command.

    • The following figure shows the procedure that is performed by using the CLI. user01 can run the Cloud Assistant command, and an error is reported when the system user runs the command.win执行结果cli