When multiple users simultaneously access resources, you can create multiple Resource Access Management (RAM) users and grant the RAM users permissions based on their roles and demands. This can control access to various resources, improve management efficiency, and reduce the risk of information leakage. This topic describes how to create a RAM user and attach specific policies to the RAM user to control access to Elastic Compute Service (ECS) resources.
Procedure
Create a RAM user.
For more information, see Create a RAM user.
(Optional) Create a custom policy.
Alibaba Cloud provides system policies that grant permissions to access ECS resources. For more information, see Example system policies. If system policies do not meet your business requirements, create a custom policy. For more information, see Create custom policies.
To create a custom policy by using a script in the RAM console, choose RAM > Permissions > Policies in the left-side navigation pane, click Create Policy, and then click the JSON tab. Enter policy content in the code editor. You must configure Action and Resource parameters in Statement. For more information, see Authentication rules. For information about parameter values, see Policy syntax and structure.
Example 1: A policy is created by using the code editor and allows a RAM user to create pay-as-you-go ECS instances:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeImages", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "ecs:DescribeSecurityGroups", "ecs:DescribeKeyPairs", "ecs:DescribeTags", "ecs:RunInstances" ], "Resource": "*" } ], "Version": "1" }Example 2: A policy is created by using the code editor and allows a RAM user to create subscription ECS instances. bss-related API operations can be called to query and pay for subscription orders, and the corresponding system policy is
AliyunBSSOrderAccess.{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeImages", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "ecs:DescribeSecurityGroups", "ecs:DescribeKeyPairs", "ecs:DescribeTags", "ecs:RunInstances", "bss:DescribeOrderList", "bss:DescribeOrderDetail", "bss:PayOrder", "bss:CancelOrder" ], "Resource": "*" } ], "Version": "1" }Example 3: A policy is created by using the code editor and allows a RAM user to query instance and disk information after the user creates an ECS instance:
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeInstances", "ecs:DescribeDisks" ], "Resource": "*" } ], "Version": "1" }
Attach the policy to the RAM user to grant the user permissions to access ECS resources. For more information, see Grant permissions to a RAM user.
NoteAfter permissions are granted to the RAM user, the permissions immediately take effect. The RAM user can log on to the RAM console to manage specific resources. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.
References
You can view the individual permissions of the RAM user and view the permissions that the RAM user inherits from its user group. For more information, see View the permissions of a RAM user.
If the RAM user no longer requires specific permissions or the RAM user leaves your organization, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.
You can view the multi-factor authentication (MFA) methods that are supported by RAM users, MFA usage notes, and MFA limits. For more information, see What is multi-factor authentication?.
You can manage ActionTrail permissions of RAM users. You can create custom policies and attach them to the RAM users. Then, the RAM users can log on to the ActionTrail console and perform related operations. For more information, see Use RAM to manage ActionTrail permissions.