You can create custom policies to implement fine-grained permission control to meet your business requirements. The policies can ensure that only authorized team or department members can access and perform specific operations and implement fine-grained permission control in cross-cloud service scenarios. This topic provides actions and resources that are involved when you use Resource Access Management (RAM) to authorize team or department members, grant permissions to RAM users or roles, and implement tag-based authentication and cross-cloud service authorization in Elastic Compute Service (ECS). This helps you better understand how to configure these permissions.
Background information
If you already have permissions to access resources, skip this topic.
By default, Alibaba Cloud accounts and RAM users can manage ECS resources in the ECS console or by calling API operations. Specific permissions are required in the following scenarios:
A new RAM user does not have the required permissions to manage resources in your Alibaba Cloud account.
You want to access ECS resources from other Alibaba Cloud services or access other Alibaba Cloud services from ECS.
Before you can manage a resource that is under access control, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.
Before you can manage a resource that uses tag-based authentication, you must be granted the required permissions on the resource and on the relevant API operations by the resource owner.
When an Alibaba Cloud account requests access to ECS resources in your Alibaba Cloud account by calling ECS API operations, ECS instructs RAM to perform a permission check to ensure that the requester account has the required permissions. The required permissions vary based on the requested ECS resources and API operations. For more information, see What is RAM? and List of operations by function.
Custom policies
RAM allows you to manage user identities and resource access and operation permissions based on policies. A policy is a set of access permissions. Each policy includes a version number and one or more individual statements. Each statement includes the following elements: Effect, Action, Resource, and Condition. The Condition element is optional.
Tags can be used to identify, group, or classify resources for easy management.
You can use tags as conditions in RAM policies for fine-grained resource permission management. The following table describes the tag-based conditions in RAM policies.
Tag-based authentication condition | Description |
| Specifies that a specific tag must be included in each API request. If an API request does not include tag-related parameters, the |
| Specifies that a specific tag must be added to the specified resource. If an API request does not include a resource ID, the |
You can create a custom policy in the RAM console or by calling the CreatePolicy operation of RAM. The following code provides a sample custom policy. When you create a custom policy, edit the policy based on the JSON template. In the policy statements, set Action and Resource to API operations and Alibaba Cloud Resource Name (ARN) values in the ARNs for API operations section and set parameters in the Condition element as described in the Tag-based authentication of requests to different API operations section. For more information, see Control access to resources by using RAM users and Policy elements.
For more information about how to use tags for authentication, see Implement fine-grained access control by using tags.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow"
"Action": [
"ecs:[ECS RAM Action]",
"ecs:DescribeInstances"
],
"Resource": [
"[ECS RAM Action Resource]",
"acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
],
"Condition": {
"StringEquals": {
"acs:RequestTag/${key}":"${value}"
}
},
{
"Effect": "Allow"
"Action": [
"ecs:[ECS RAM Action]",
"ecs:DescribeInstances"
],
"Resource": [
"[ECS RAM Action Resource]",
"acs:ecs:$regionid:15619224785*****:instance/i-bp1bzvz55uz27hf*****"
],
"Condition": {
"StringEquals": {
"acs:ResourceTag/${key}":"${value}"
}
}
]
}
ARNs for API operations
The following table describes ECS API operations (Action) and the ARNs that correspond to them. For more information about the format of ARN, see Terms.
Instance
Action | Resource | Description |
| Creates a subscription or pay-as-you-go ECS instance. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Releases a pay-as-you-go instance or an expired subscription instance. | |
| Queries the details of one or more ECS instances. | |
acs:ecs:$regionid:$accountid:instance/* | Queries the status information of one or more ECS instances. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Queries the Virtual Network Computing (VNC) URL of an ECS instance. | |
| Modifies the attributes of an ECS instance, such as the password, name, description, hostname, user data, and security groups. For a burstable instance, you can also change the performance mode. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Specifies or cancels the automatic release time for a pay-as-you-go ECS instance. If you set the automatic release time for an instance, the instance is automatically released at the specified time. Proceed with caution. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Changes the billing method for one or more instances. You can change the billing methods of instances between pay-as-you-go and subscription, or change the billing method of all data disks that are attached to an instance from pay-as-you-go to subscription. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Changes the web management terminal password of an ECS instance. | |
acs:ecs:$regionid:$accountid: | Changes the instance type of your subscription instance. The new instance type takes effect for the remaining lifecycle of the instance. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Restarts an ECS instance that is in the Running state. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Renews a subscription ECS instance. | |
| Creates one or more pay-as-you-go or subscription ECS instances. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Starts an instance. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Stops an instance. |
Elastic Block Storage (EBS) device
Action | Resource | Description |
| Creates one or more pay-as-you-go or subscription data disks. | |
| Attaches a pay-as-you-go data disk to an ECS instance. | |
| Queries one or more EBS devices that you have created, including cloud disks and local disks. | |
acs:ecs:$regionid:$accountid:disk/$diskId | Modifies the attributes of one or more disks. | |
acs:ecs:$regionid:$accountid:disk/$diskId | Rolls back a disk to a specific state by using a disk snapshot. | |
acs:ecs:$regionid:$accountid:disk/$diskId | Resizes a cloud disk. You can resize a system disk or a data disk. | |
| Replaces the system disk or operating system of an ECS instance. | |
| Detaches a pay-as-you-go disk from an ECS instance. | |
acs:ecs:$regionid:$accountid:disk/$diskId | Releases a pay-as-you-go data disk. |
Reserved instance
Action | Resource | Description |
acs:ecs:$regionid:$accountid:reservedinstance | Purchases a reserved instance. | |
acs:ecs:$regionid:$accountid:reservedinstance | Queries purchased reserved instances. | |
acs:ecs:$regionid:$accountid:reservedinstance | Splits, merges, or modifies reserved instances. |
Image
Action | Resource | Description |
| Creates a custom image. | |
acs:ecs:$regionid:$accountid:image/* | Imports an existing image to ECS. The imported image appears as a custom image in the destination region. | |
| Copies a custom image from one region to another region. | |
acs:ecs:$regionid:$accountid:image/$imageNo | Cancels an ongoing image copy task. | |
acs:ecs:$regionid:$accountid:image/$imageNo | Exports a custom image to an Object Storage Service (OSS) bucket in the same region. | |
| Queries available images. | |
acs:ecs:$regionid:$accountid:image/$imageNo | Changes the name or modifies the description of a custom image. | |
acs:ecs:$regionid:$accountid:image/$imageNo | Deletes a custom image. |
Snapshot
Action | Resource | Description |
| Creates a snapshot for a cloud disk. | |
| Queries all snapshots of an ECS instance or a cloud disk. | |
acs:ecs:$regionid:$accountid:snapshot/$snapshotId | Modifies the name or description of a snapshot. | |
acs:ecs:$regionid:$accountid:snapshot/$snapshotId | Deletes a snapshot. | |
acs:ecs:*:$accountid:snapshot/* | Creates an automatic snapshot policy. | |
acs:ecs:*:$accountid:snapshot/* | Disables an automatic snapshot policy for one or more cloud disks. | |
| Queries the snapshot chains of one or more cloud disks. | |
acs:ecs:*:$accountid:snapshot/* | Deletes an automatic snapshot policy. | |
acs:ecs:*:$accountid:snapshot/* | Applies an automatic snapshot policy to one or more cloud disks or changes the existing automatic snapshot policy of the disks. |
Security group
Action | Resource | Description |
acs:ecs:$regionid:$accountid:securitygroup/* | Creates a security group. By default, a new security group allows mutual access between instances within the security group. Access requests to the security group from outside the group are denied. If you want to allow requests from the Internet or requests from instances within other security groups, you can call the AuthorizeSecurityGroup operation. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Adds an inbound rule to a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Adds an outbound rule to a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Deletes an inbound security group rule. After the rule is deleted, the access control implemented by the rule is removed. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Deletes an outbound security group rule. After the rule is deleted, the access control implemented by the rule is removed. | |
| Adds an ECS instance to a security group. | |
| Removes an ECS instance from a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Queries the rules of a security group. | |
| Queries the basic information about security groups. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Changes the name or modifies the description of a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Modifies the inbound rules of a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Modifies the outbound rules of a security group. | |
acs:ecs:$regionid:$accountid:securitygroup/$groupNo | Deletes a security group. |
Deployment set
Action | Resource | Description |
acs:ecs:{#regionId}:{#accountId}:deploymentset/* | Creates a deployment set. | |
acs:ecs:{#regionId}:{#accountId}:deploymentset/{#deploymentSetId} | Changes the name or modifies the description of a deployment set. | |
acs:ecs:{#regionid}:{#accountId}:deploymentset/{#deploymentSetId} | Deletes a deployment set. | |
acs:ecs:{#regionId}:{#accountId}:deploymentset/{#deploymentSetId} | Queries the attributes of one or more deployment sets. |
SSH key pair
Action | Resource | Description |
acs:ecs:$regionid:$accountid:keypair/* | Creates an SSH key pair. | |
acs:ecs:$regionid:$accountid:keypair/* | Imports the public key of an RSA-encrypted key pair that is created by using a third-party tool. After the key pair is imported, Alibaba Cloud stores the public key. You must store the private key in a secure location. | |
| Queries one or more SSH key pairs. | |
| Binds an SSH key pair to one or more Linux ECS instances. | |
| Unbinds an SSH key pair from one or more Linux instances. | |
acs:ecs:$regionid:$accountid:keypair/$keyPairName | Deletes one or more SSH key pairs. |
Network
Action | Resource | Description |
| Modifies the virtual private cloud (VPC) attributes of an ECS instance. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Assigns a public IP address to an ECS instance. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Converts the public IP address of an ECS instance that resides in a VPC into an elastic IP address (EIP). | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Establishes a ClassicLink connection between an ECS instance of the classic network type and a VPC to allow the instance to communicate with resources in the VPC over the internal network. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Removes the ClassicLink connection between an ECS instance of the classic network type and a VPC. | |
acs:ecs:$regionid:$accountid:instance/* | Queries one or more instances of the classic network type that have established ClassicLink connections to VPCs. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Modifies the bandwidth configurations of an ECS instance. |
O&M and monitoring
Action | Resource | Description |
acs:ecs:*:$accountid:snapshot/* | Queries the monitoring data of changes in snapshot sizes in a region over the last 30 days. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Queries the monitoring information of an ECS instance. |
Tag
Action | Resource | Description |
acs:ecs:$regionid:$accountid:$resourceType/$resourceId | Creates and adds tags to ECS resources. | |
acs:ecs:$regionid:$accountid:$resourceType/$resourceId | Queries tags that are added to one or more ECS resources. | |
acs:ecs:$regionid:$accountid:$resourceType/$resourceId | Removes tags from a group of ECS instances and deletes the tags. |
Price inquiry
Action | Resource | Description |
acs:ecs:*:$accountid:* | Queries the most recent prices of ECS resources. | |
acs:ecs:$regionid:$accountid:instance/$instanceId | Queries the renewal prices of ECS resources. Only the renewal prices of subscription resources can be queried. | |
acs:ecs:$regionid:$accountid:$resourceType/$resourceId | Removes tags from a group of ECS instances and deletes the tags. |
Tag-based authentication of requests to different API operations
After policies that contain tag-based conditions are attached to a RAM user, requests made by the RAM user to API operations are authenticated based on the tags specified in the policy conditions. The following table describes various cases in which requests to different API operations are authenticated based on tags.
API operation | Description |
Operations used to create resources, such as RunInstances and CreateDisk | You do not need to specify resource IDs in API requests. If no resource IDs are specified in API requests, the requests are matched against the
|
Operations used to query resources, such as DescribeInstances and DescribeDisks | You can specify resource IDs in API requests based on your business requirements. API requests are matched against the
Note For API operations that are used to query resources, the system returns an empty result and does not report an error if authentication fails. |
Operations used to modify resources, such as ModifyInstanceAttribute and ModifyDiskAttribute | You must specify resource IDs in requests. Then, the requests are matched against the
|
Operations used to manage resources, such as StartInstance, RebootInstance, and StopInstance | You must specify resource IDs in requests. Then, the requests are matched against the
|