In scenarios where multiple users simultaneously access resources, you can create
multiple RAM users and grant the RAM users permissions based on their roles so that
different RAM users can access and manage different resources. This can improve management
efficiency and reduce the risk of information leaks. This topic describes how to create
a RAM user and attach a policy to the RAM user to control access to Elastic Compute
Service (ECS) resources.
Procedure
- Create a RAM user.
- Optional:Create a custom policy.
Alibaba Cloud provides system policies that allow RAM users to access ECS resources.
For more information, see
Example system policies. If system policies cannot meet your requirements, you can create custom policies.
For more information, see
Create a custom policy.
If you set Configuration Mode to
Script when you create a custom policy on the Create Custom Policy page in the Resource
Access Management (RAM) console, you must specify the
Action and
Resource parameters in
Statement. For information about the values of these parameters, see
Authentication rules. For information about the values of other parameters, see
Policy structure and syntax.
- The following sample policy created by using the code editor allows a RAM user to
create pay-as-you-go ECS instances:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances"
],
"Resource": "*"
}
],
"Version": "1"
}
- The following sample policy created by using the code editor allows a RAM user to
create subscription ECS instances. bss-related API operations can be called to query and pay for subscription orders, and
the corresponding system policy is
AliyunBSSOrderAccess
. {
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeImages",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitches",
"ecs:DescribeSecurityGroups",
"ecs:DescribeKeyPairs",
"ecs:DescribeTags",
"ecs:RunInstances",
"bss:DescribeOrderList",
"bss:DescribeOrderDetail",
"bss:PayOrder",
"bss:CancelOrder"
],
"Resource": "*"
}
],
"Version": "1"
}
- The following sample policy created by using the code editor allows a RAM user to
query instance and disk information after the user creates an ECS instance:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:DescribeInstances",
"ecs:DescribeDisks"
],
"Resource": "*"
}
],
"Version": "1"
}
- Attach the policy to the RAM user to grant the user permissions to access ECS resources.
What to do next
After permissions are granted to the RAM user, the permissions immediately take effect.
The RAM user can log on to the RAM console to manage the applicable resources. For
more information, see Log on to the console as a RAM user.